7

According to the docs:

Clear-Site-Data header clears browsing data (cookies, storage, cache) associated with the requesting website

Now trying it, you can see in the screenshot (Firefox v76) that in the Response section, Clear-Site-Data was set in the browser, but, you can still see the assets as "cached":

Note: Even after navigating back/forth after some time, the cached assets doesn't seem to get cleared.

enter image description here

I'm under the impression this will happen instantly but I can't get it to work. Is this suppose to happen instantly or after some time, or I am just missing some else?

Update for those who care:

Clear-Site-Data appears to only work on localhost or https

IMB
  • 15,163
  • 19
  • 82
  • 140

1 Answers1

3

Is this suppose to happen instantly or after some time, or I am just missing some else?

It is supposed to happen instantly. The (draft) spec states:

If the Clear-Site-Data header is present in an HTTP response received from the network, then data MUST be cleared before rendering the response to the user.

Additionally, as you mention in this comment it is only supported when a request is secure (either https or localhost).

I prepared a simple test, with two resources:

  • index.html -- a page that links to a CSS file, and also accepts a ?clear query parameter to include a CSD header in the response
  • style.css -- a CSS page with random colours, to make clear when it has been regenerated, that declares itself as cacheable

This behaved as specified with Firefox 76.0.1; on receiving a resource with Clear-Site-Data: "cache", the cache is cleared before fetching its subresources.

Without Clear-Site-Data:

  • Fetch index.html by entering the URL and hitting Enter
  • Repeat this. Note that the referenced style.css is served from the cache, and the page colour doesn't change

With Clear-Site-Data:

  • Fetch index.html?clear by entering the URL and hitting Enter
  • Repeat this. Note that the referenced style.css is not served from the cache, and the page colour changes

Code:

#!/usr/bin/python3

import http.server
import socketserver

import random

PORT = 8000

class SampleDataHandler(http.server.SimpleHTTPRequestHandler):

    def do_GET(self):
        if ".css" in self.path:
            self.send_response(200)
            self.send_header('Content-Type', 'text/css')
            self.send_header('Cache-Control', 'max-age=3600')
            self.end_headers()
            color = b"%06x" % random.randint(0, 0xFFFFFF)
            self.wfile.write(b"html{background-color: " + color + b";}\n")
        else:
            self.send_response(200)
            if '?clear' in self.path:
                self.send_header('Clear-Site-Data', '"cache"')
            self.end_headers()
            self.wfile.write(b"<link rel=stylesheet href=style.css>This is the content.\n")


httpd = socketserver.TCPServer(("", PORT), SampleDataHandler)

httpd.serve_forever()
Joe
  • 29,416
  • 12
  • 68
  • 88
  • Could it be due to the `?clear` flag? because even without the `Clear-Site-Data` directive, any random `?string` should clear the cache at least on your first visit. What happens if you repeatedly visit with `?clear` flag? Also can you verify in the browser inspector if it's actually served from cache? – IMB May 13 '20 at 21:01
  • Yes, the network tab confirms that it's served from the cache when no `CSD` header is sent. Note that it's the `style.css` that is (or isn't) served from the cache, not the initial `index.html`. – Joe May 14 '20 at 03:11
  • I'm pretty much doing something similar (but in PHP). Mind if you send a screenshot of your browser inspector after visiting `index.html?clear` multiple times through a link that links `index.html` to itself? Note: hitting refresh appears to deliberately clear cache so it must come from a self link. – IMB May 14 '20 at 04:50
  • As I mention, I'm reloading by entering the URL and hitting Enter, which respects the cache, rather than following a link. The browser inspector just shows whether or not `style.css` was served from the cache, as described in those cases. If you're able to run Python, try that example. – Joe May 14 '20 at 11:34
  • 1
    I have finally found why I couldn't get it to work: `Clear-Site-Data` only works on `localhost` or `https`. I don't think this is "officially" documented. I've been testing it on a non-localhost Docker URL that's why it never worked. After testing on `localhost` I can verify `CSD` works instantly. Although I wasn't able to test your example, it still helped me in a way so I will accept it. – IMB May 14 '20 at 13:34
  • 2
    Good find! [This line](https://hg.mozilla.org/integration/mozilla-inbound/rev/015ed5271d5d#l6.202) appears to assert that in Firefox, and it's a no-op for a URI that's not considered "secure". It should probably be listed with [Features restricted to secure contexts](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts). – Joe May 14 '20 at 15:10