W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: Does no-store in request imply no-cache?

From: David Morris <dwm@xpasc.com>
Date: Sun, 17 Oct 2010 18:34:52 -0700 (PDT)
cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.64.1010171827530.15971@egate.xpasc.com>

On Sun, 17 Oct 2010, Eric J. Bowman wrote:

> David Morris wrote:
> >
> > But if the application author went to the trouble of making
> > such a request, then we should err on the side of privacy and
> > preclude any use of storage for the request or response.
> > 
> Why are you assuming it's the application author making the request?

Because that is the only likely source of such a header on a
request. No reason for a browser to add this flag on its own. A tool
such as wget or curl might add the header flag as a consequence of
human direction. The pure definition is no use of storage. I see
no reason to contaminate that definition.

> > 
> > I'd argue that to not be true. NO-STORE is a privacy oriented
> > directive and I don't think we have the ability to discern all the
> > small leaks that might occur given the clever black hats that abound.
> > The safe path is no use of storage.
> > 
> But in this case, the sender intent explicitly allows caching.  If the
> application author wants to change a representation to never be stored,
> then the server configuration needs changed, which isn't the intent of
> no-store in a request.  In fact, I think the clever black-hats might
> find it useful to know that a DDoS can get around cached responses by
> just invalidating them in the initial requests.

No, there is no invalidation of a cache here ... the cache should be 
ignored ... no use of storage (aka no-store) is just that, this request
is processed without reference to the current content of the cache.
So the only DoS is w.r.t. the current request.
Received on Monday, 18 October 2010 01:35:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:55 UTC