Hi all,

I've been doing some work on a web site that is used to display
potentially sensitive information. As such we serve all the pages with a
"cache-control: no-cache, no-store" header (as well as marking them
private, must-revalidate and supplying an already passed expires date).

I've hit a problem where in FF3 the user can log out of the system then
use their browsers back-button to navigate back to pages containing
sensitive data. This is obviously a security problem. FF3 doesn't seem
to be responding to the "cache-control" header in the manner expected.

Looking at about:cache, the pages are correctly not being placed in the
Disk Cache Device, they are however being placed in the Memory Cache
Device. The HTTP/1.1 spec states that this is fine provided a best
effort is made to remove the page from the volatile cache once it's been
displayed. FF3 doesn't do this, and to compound this it doesn't re-fetch
or even re-validate the page when the back button is pressed.

This appears to only be the case for pages served as a response to an
HTTP POST request. GET behaves as expected.

Under FF2 and IE6/7 the behaviour in this scenario is more as expected.
Clicking the back-button to navigate to an expired page warns the user
the page is expired and prompts them to re-POST the data if they wish.

FF3 does not do this.

It's unclear to me whether this is fully to spec or not as the spec
around this (see section 14.9.2) is slightly ambiguous. That said I'm at
a loss to explain why this behaviour would have been changed between
Firefox 2 and 3.

Is anyone able to shed any light on why this has changed or how to force
FF3 not to behave this way?

Another user with this problem has kindly set up some test pages that
illustrate the issue at: http://dev.jeffersonscher.com/cache/index.asp

Any help would be gratefully appreciated.
Many thanks,
Jason