MediaWiki controllers which do not use the normal header handling of OutputPage (call OutputPage::disable(), or do not use OutputPage at all) do their own implementation of "don't cache if the user is authenticated". There are many ways to get that wrong, and several controllers do. This task is about cleaning them up.
- provide a helper method (along the lines of OutputPage::sendCacheControl(), presumably) that any controller can call instead of trying to come up with their own logic
- MediaWiki-extensions-CentralNotice Special:BannerLoader should not set Cache-Control: public when there's a session
- MediaWiki-extensions-CentralNotice Special:HideBanners should not set Cache-Control: public for anonymous sessions
- MediaWiki-extensions-WikibaseRepository Special:EntityData should not set Cache-Control: public when there's a session
- action=raw should not set Cache-Control: public for anonymous sessions. (While we are there also clean up the harmless but nonsensical private + smaxage>0 combination.)
- PageHistoryCountHandler should not set Cache-Control: public when there's a session
- rest.php should probably have some kind of generic facility for this
AjaxResponse (see T42787: Remove legacy ajax interface) also has code for enabling caching, but it does not seem reachable.
TODO: add other stuff here from T256395#6298796