W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: does no-store request invalidate? [i23]

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Tue, 05 Feb 2008 15:08:34 +0100
To: David Morris <dwm@xpasc.com>
Cc: ietf-http-wg@w3.org
Message-Id: <1202220514.17924.69.camel@hlaptop>
mån 2008-02-04 klockan 21:37 -0800 skrev David Morris:
> I don't have the bandwidth at the moment to check, but the same should be
> true if the response contains do not cache ... neither the request nor the
> response may be cached.

It's not. no-cache still allows caches to store the response/request.

Response directive no-cache is pretty much the same as max-age=0,
must-revalidate.

Request directive no-cache just says that a cache may not be used to
satisfy this request. It says nothing about how the response is to be
handled. Wording is a bit dim on this in the definition of no-cache
where only the response directive semantics is considered, but is
clarified later on in "Cache Revalidation and Reload Controls"

no-store on the other hand says that neither the request ot it's
response may be permanently stored in a cache, or that the cache should
at least make best effort to permanently erase any data carried in the
request and response as soon as possible after completion. no-store is
explicitly not limited to responses as also the request may carry
sensitive information, i.e. as part of a PUT/POST request. But it gets a
little wierd talking about caches in this context. What is really meant
all processing agents (not just caches) MUST NOT permanently store the
carried request or response entity, not limited to just caches.. But
there is no good term for this so "cache" is used as the closest
matching term.

Storing of the request may occur as part of request forwarding. Quite
noticeably if for example scanning PUT request for viruses. This isn't
really a cache, but the no-store directive still applies. There is also
a request history cache in most user-agents where the directive should
apply.

It's somewhat unclear to me if a no-store request directive also implies
no-cache, or if the request may still be satisfied with a priorly cached
entity. But I guess from the description of no-store that it may still
be satisfied by a cached entity unless combined with no-cache as it only
talks about storing information from this request/response for
security/privacy reasons, not how the request may be satisfied.

Regards
Henrik

Received on Tuesday, 5 February 2008 14:10:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:36 GMT