Any reliable way to stop Internet Explorer (v7, 8) to stop caching PDF files?

Question

Hello,

An application I work on generates PDF documents and renders them in a browser window. Some of the data in the documents can be considered sensitive so we're exploring how to prevent the browser from caching the document contents. We're using the following Java code which prevents caching in Firefox but doesn't work in IE 8:

response.setHeader("Expires", "0");
response.setHeader("Pragma", "private");
response.setHeader("Cache-Control", "max-age=0, no-store");
response.setHeader("Content-disposition", "inline; filename= \"" + filename + "\"");
response.setContentLength(fbytes.length);

I'm wondering if anyone has had any luck manipulating headers to prevent IE from caching? Thanks in advance.

Answer 1

When you say "caching" you mean "Writing the document to the disk"?

No, there's no good way to do that because the Adobe PDF reader relies on the cache file in order to display the document.

Ordinarily, specifying "no-store" on a HTTPS document prevents it from downloading in IE at all, as discussed here: http://blogs.msdn.com/b/ieinternals/archive/2009/10/03/internet-explorer-cannot-download-over-https-when-no-cache.aspx however since this document is being handled by the Adobe MIME handler, it seems that you're not hitting that problem.

The real question is "What's your threat model?" A bad guy with the ability to read the user's TIF typically has the ability to do other badness (e.g. install malware) so trying to keep the document off disk is a fairly futile exercise. This is especially true because modern operating systems use virtual memory (which writes memory pages to the hard disk in a swap file), which means that a bad guy with unrestricted ability to read the hard disk can recover the contents of memory anyway.