SECURITY: Don't reuse CSP nonce between anonymous requests

lib/middleware/anonymous_cache.rb

@@ -43,6 +43,21 @@ module Middleware
       env["ANON_CACHE_DURATION"] = duration
     end
 
+    def self.clear_all_cache!
+      if Rails.env.production?
+        raise "for perf reasons, clear_all_cache! cannot be used in production."
+      end
+      Discourse.redis.keys("ANON_CACHE_*").each { |k| Discourse.redis.del(k) }
+    end
+
+    def self.disable_anon_cache
+      @@disabled = true
+    end
+
+    def self.enable_anon_cache
+      @@disabled = false
+    end
+
     # This gives us an API to insert anonymous cache segments
     class Helper
       RACK_SESSION = "rack.session"
@@ -232,7 +247,10 @@ module Middleware
       end
 
       def cacheable?
-        !!(!has_auth_cookie? && get? && no_cache_bypass)
+        !!(
+          GlobalSetting.anon_cache_store_threshold > 0 && !has_auth_cookie? && get? &&
+            no_cache_bypass
+        )
       end
 
       def compress(val)
@@ -326,6 +344,8 @@ module Middleware
     PAYLOAD_INVALID_REQUEST_METHODS = %w[GET HEAD]
 
     def call(env)
+      return @app.call(env) if defined?(@@disabled) && @@disabled
+
       if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
            env[Rack::RACK_INPUT].size > 0
         return 413, { "Cache-Control" => "private, max-age=0, must-revalidate" }, []