W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: Does no-store in request imply no-cache?

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Sun, 17 Oct 2010 19:12:16 -0600
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: David Morris <dwm@xpasc.com>
Message-Id: <20101017191216.7eeb5421.eric@bisonsystems.net>
David Morris wrote:
>
> But if the application author went to the trouble of making
> such a request, then we should err on the side of privacy and
> preclude any use of storage for the request or response.
> 

Why are you assuming it's the application author making the request?

> 
> I'd argue that to not be true. NO-STORE is a privacy oriented
> directive and I don't think we have the ability to discern all the
> small leaks that might occur given the clever black hats that abound.
> The safe path is no use of storage.
> 

But in this case, the sender intent explicitly allows caching.  If the
application author wants to change a representation to never be stored,
then the server configuration needs changed, which isn't the intent of
no-store in a request.  In fact, I think the clever black-hats might
find it useful to know that a DDoS can get around cached responses by
just invalidating them in the initial requests.

-Eric
Received on Monday, 18 October 2010 01:12:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:29 GMT