According to the W3C: The purpose of the no-store directive is to prevent the inadvertent release or retention of sensitive information. ( https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2 ) Google is sending this value on most of the responses that contains sensible data as you can see from the screenshot below:
The problem is that some old Gmail endpoints are not including this value, like for instance:
The mentioned endpoint is the one used by the official Gmail ChromeExtension:
So every time this endpoint is acceded by your browser it stores the result in the cache, storing all your unread e-mail in a shared space including several private information:
I reported this about three weeks ago, sending a detailed description and the next video:
Nobody visualised the video before I got a the next answer from Google:
So, since in order to explode this security flaw it is required access to the computer Google doesn't care about your security, you must use your own computer :(
In the real world the people share computers and they also use public ones. After a user closes the session, the expected result is that all the user data should be safe when the used computer is not compromised at all, I wasn't talking about install any sort of malware, keyloger or whatever, just the official Gmail extension.
When I came back I made a video where I was able to access the private e-mail of more than twenty accounts.
I will not publish this video since I prefer to don't get in trouble, but I really think that this is an important security issue, easy to fix that should be addressed as soon as possible.