From 968e470684e3e2bfe51015fcb7a20d33038a64d7 Mon Sep 17 00:00:00 2001
From: Pierre de La Morinerie <kemenaran@gmail.com>
Date: Tue, 14 Apr 2020 16:28:15 +0000
Subject: [PATCH] config: never cache rails-generated pages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This instruct browsers to never cache content directly generated by the
controllers. This includes HTML pages, JSON responses, PDF files, etc.

This is because Some mobile browsers have a behaviour where, although
they will delete the session cookie when the browser shutdowns, they
will still serve a cached version of the page on relaunch.

The CSRF token in the HTML is then mismatched with the CSRF token in the
session cookie (because the session cookie has been cleared). This
causes form submissions to fail with an
"ActionController::InvalidAuthenticityToken" exception.

To prevent this, tell browsers to never cache the HTML of a page.
(This doesn’t affect assets files, which are still sent with the proper
cache headers).

See https://github.com/rails/rails/issues/21948
---
 config/application.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/config/application.rb b/config/application.rb
index be10d163e..2ecce58c2 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -35,6 +35,18 @@ module TPS
 
     config.action_view.sanitized_allowed_tags = ActionView::Base.sanitized_allowed_tags + ['u']
 
+    # Some mobile browsers have a behaviour where, although they will delete the session
+    # cookie when the browser shutdowns, they will still serve a cached version
+    # of the page on relaunch.
+    # The CSRF token in the HTML is then mismatched with the CSRF token in the session cookie
+    # (because the session cookie has been cleared). This causes form submissions to fail with
+    # a "ActionController::InvalidAuthenticityToken" exception.
+    # To prevent this, tell browsers to never cache the HTML of a page.
+    # (This doesn’t affect assets files, which are still sent with the proper cache headers).
+    #
+    # See https://github.com/rails/rails/issues/21948
+    config.action_dispatch.default_headers['Cache-Control'] = 'no-store, no-cache'
+
     config.to_prepare do
       # Make main application helpers available in administrate
       Administrate::ApplicationController.helper(TPS::Application.helpers)