Re: does no-store request invalidate? from Alex Rousskov on 2005-07-27 (ietf-http-wg@w3.org from July to September 2005)

From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Wed, 27 Jul 2005 14:13:35 -0600
To: Mark Nottingham <mnot@mnot.net>
Cc: ietf-http-wg@w3.org
Message-Id: <1122495215.80546.23.camel@pail.measurement-factory.com>

On Wed, 2005-07-27 at 12:56 -0700, Mark Nottingham wrote:
> My reading is that a no-store request header applies to that request  
> only; i.e., it's control information specific to that client, at the  
> time it made that request. 

That is my reading as well, but I wonder whether that was the intent. It
seems odd that the protocol talks at length about validating cached
entries using fresh 304 and HEAD responses but does not mention similar
validation using no-store responses.

> Otherwise, a malicious client could  
> effectively invalidate any cache entry it chose to.

... which it can often do without no-store (using a DELETE method, for
example):

   "If the [DELETE] request passes through a cache and the Request-URI
identifies one or more currently cached entities, those entries SHOULD
be treated as stale."

Alex.

> On 26/07/2005, at 9:53 AM, Alex Rousskov wrote:
> 
> >
> > Hello,
> >
> >     Responses to HTTP requests with "Cache-control: no-store" are not
> > cachable. Recently, we came across a cache that does not cache  
> > responses
> > to no-store requests but also does not invalidate an older cached  
> > entity
> > with the same URL. When future requests stop using no-store, the old
> > cached entity is served.
> >
> > For example, the following happens in our test case:
> >
> >   1. Client requests an entity A without using no-store.
> >   2. Cache proxies the transaction and caches the response (entity A).
> >
> >   3. Client requests the same entity A using "Cache-control: no- 
> > store".
> >   4. Cache proxies the transaction and does NOT cache the response.
> >
> >   5. Client requests the same entity A again, without using no-store.
> >   6. Cache serves the "old" entity A cached in step #2 above.
> >
> > Does the cache violate the intent of RFC 2616 in step #6? If yes,  
> > should
> > that intent be made explicit (I cannot find any explicit rules
> > prohibiting the above behavior)?
> >
> > If no, should the cache check that response in step #4 does not  
> > indicate
> > that cached entity A is stale? I cannot find explicit rules requiring
> > that, but we do have similar rules about 304 and HEAD responses
> > invalidating older cached entities.
> >
> > Thank you,
> >
> > Alex.
> >
> >
> >
> >
> >
> 
> 
> --
> Mark Nottingham     http://www.mnot.net/
>

Received on Wednesday, 27 July 2005 20:16:02 UTC