@@ -275,17 +275,37 @@ class TestBrowserSession {
275275 }
276276
277277 final shouldBePublic =
278- firstPathSegment == 'static' || firstPathSegment == 'documentation' ;
278+ firstPathSegment == 'static' ||
279+ firstPathSegment == 'documentation' ||
280+ uri.path == '/api/search-input-completion-data' ;
279281 final knownExemption =
280282 firstPathSegment == 'experimental' || firstPathSegment == 'report' ;
283+ final cacheHeader = rs.headers[HttpHeaders .cacheControlHeader];
281284 if (shouldBePublic && ! knownExemption) {
282- final cacheHeader = rs.headers[HttpHeaders .cacheControlHeader];
283285 if (cacheHeader == null ||
284286 ! cacheHeader.contains ('public' ) ||
285287 ! cacheHeader.contains ('max-age' )) {
286- serverErrors.add ('${rs .url } is without public caching.' );
288+ serverErrors.add (
289+ '${rs .url } is without public cache-control header (was: $cacheHeader ).' ,
290+ );
287291 }
288292 }
293+ // NOTE: We have deliberately removed `cache-control: public` from pages that
294+ // are both public and can have custom content based on the signed-in
295+ // status (e.g. like button, admin links or the status in the header).
296+ // https://github.com/dart-lang/pub-dev/pull/9035
297+ //
298+ // To fix this, we need to test with different CDN configuration (e.g. to
299+ // skip caching if the session cookie is present), or otherwise the
300+ // combination of public caching + sign-in could result stale pages at the
301+ // user's browser (see issue #9033).
302+ if (! shouldBePublic &&
303+ cacheHeader != null &&
304+ cacheHeader.contains ('public' )) {
305+ serverErrors.add (
306+ '${rs .url } must have non-public cache-control header (was: $cacheHeader ).' ,
307+ );
308+ }
289309 }
290310 });
291311
0 commit comments