W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Fwd: Does no-store in request imply no-cache?

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 18 Oct 2010 10:53:56 +1100
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <AA7CA950-F7DA-4524-A964-4227CF36C7DB@mnot.net>
Thoughts re: the below?

My inclination is to clarify "any response to it" so that a cache can use the same cached response to serve multiple requests with no-store in them (or not). 

Cheers,


Begin forwarded message:

> From: Alex Rousskov <rousskov@measurement-factory.com>
> Date: 23 September 2010 9:47:57 AM AEST
> To: Mark Nottingham <mnot@yahoo-inc.com>
> Cc: Squid Developers <squid-dev@squid-cache.org>
> Subject: Re: Does no-store in request imply no-cache?
> 
> On 09/22/2010 05:05 PM, Mark Nottingham wrote:
> 
>> Strictly, as a request directive it means "you can't store the
>> response to this request" -- it says nothing about whether or not you
>> can satisfy the request from a cache.
> 
> Hi Mark,
> 
>    Let's assume the above is correct and Squid satisfied the no-store 
> request from the cache. Should Squid purge the cached response afterwards?
> 
> If Squid does not purge, the next regular request will get the same 
> cached response as the no-store request got, kind of violating the "MUST 
> NOT store any response to it" no-store requirement.
> 
> If Squid purges, it is kind of silly because earlier requests could have 
> gotten the same "sensitive" information before the no-store request came 
> and declared the already cached information "sensitive".
> 
> Thank you,
> 
> Alex.
> 
> 
>> See also:
>>  http://tools.ietf.org/html/draft-ietf-httpbis-p6-cache-11#section-3.2.1
>> 
>> 
>> On 23/09/2010, at 4:27 AM, Alex Rousskov wrote:
>> 
>>> Hello,
>>> 
>>>    One interpretation of RFC 2616 allows the proxy to serve hits when
>>> the request contains "Cache-Control: no-store". Do you think such an
>>> interpretation is valid?
>>> 
>>>  no-store
>>>      The purpose of the no-store directive is to prevent the
>>>      inadvertent release or retention of sensitive information (for
>>>      example, on backup tapes). The no-store directive applies to the
>>>      entire message, and MAY be sent either in a response or in a
>>>      request. If sent in a request, a cache MUST NOT store any part of
>>>      either this request or any response to it.
>>> 
>>> Thank you,
>>> 
>>> Alex.

--
Mark Nottingham   http://www.mnot.net/
Received on Sunday, 17 October 2010 23:54:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:29 GMT