Cache-Control header broken in IE6 with https

Problem description

It appears that setting a Cache-Control: no-store header is ignored on https connections. It does appear to work with http connections. This seems an especially nasty bug since many banking sites use https and set the no-store header to avoid pages being stored on a users machine, or where ever the user happens to be.

Environment details

Steps to reproduce

  1. Open Internet Explorer
  2. Select Tools -> Internet Options
  3. Select the Advanced tab
  4. Make sure the Do not save encrypted pages to disk option near the bottom in the Security section is unchecked (not checked)
  5. Click OK
  6. Go to (this does not set a Cache-Control header)
  7. Click on any of the cache control links (eg try the one "Mode: Cache-Control: no-store" -, this will return a page with a "Cache-Control: no-store" header
  8. Click Back
  9. Select File -> Work offline
  10. Click Forward
  11. The page is displayed from the cache, despite the no-store header being set. In itself, possibly ok because the user hasn't closed the window, but...

  12. Copy the URL in the address bar
  13. Close all instances of Internet explorer
  14. Open a new instance (should still be in offline mode)
  15. Paste the URL into the address bar

The page is displayed from the cache. This is the more serious bug. The page was stored in the cache despite the no-store header being set. This has definitely information leakage and security implications as the user could have gone to a secure https banking page, then closed IE totally. Then another user could come along, open IE, look through the IE history, and navigate to a page in the history to get the supposedly secure, no-cached https page!

This only seems to be a problem with https URLs. If you change the above to plain http URLs, it does appear to obey the Cache-Control header.

If on the security settings page, you change check the Do not save encrypted pages to disk option is checked, then it appears effectively the no-store option is always set, and things work ok, but a user shouldn't have to navigate to the Advanced tab to check this setting on every machine they use (eg friends, work, etc), the server specifying the Cache-Control: no-store option should be enough.