W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

RE: Privacy and HTTP intermediaries

From: Thomson, Martin <Martin.Thomson@commscope.com>
Date: Tue, 3 May 2011 10:16:15 +0800
To: Mark Nottingham <mnot@mnot.net>
CC: httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <8B0A9FCBB9832F43971E38010638454F040490717E@SISPE7MB1.commscope.com>
On 2011-05-03 at 11:47:45, Mark Nottingham wrote:
> On 03/05/2011, at 11:10 AM, Thomson, Martin wrote:
> 
> > Does the value of the Cache-Control header have any bearing on whether 
> > something is logged?
> 
> Nope.
> 
> I suppose you could read Cache-Control: no-store has having those 
> semantics, but it doesn't in any implementation I'm aware of. Perhaps 
> we need to clarify that.

With my privacy nut hat on, it would be nice if that could be added.  It's certainly consistent with the definition of no-store.

I'm not expecting the guidance to have any teeth, nor for it to have any impact on implementations, but there's a definite advantage to having text to that effect.

There is the question about non-caching intermediaries that might otherwise perform logging.  They aren't always going to look at Cache-Control unless they need to (for no-transform), so a caveat along the lines of "this is NOT a reliable or sufficient mechanism" might need to be added for this.

That leaves me with (for p6, S3.2.1 & S3.2.2):

  An intermediary that performs logging (whether or not it implements a cache) MUST NOT perform logging for requests or responses with a no-store directive.

--Martin
Received on Tuesday, 3 May 2011 02:16:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:40 GMT