W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2012

Re: Require UAs and intermediary caches to assume Vary: User-Agent

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 17 Oct 2012 22:28:55 +1300
Message-ID: <507E7A57.7070709@treenet.co.nz>
To: ietf-http-wg@w3.org
On 17/10/2012 10:00 p.m., Simon Pieters wrote:
> On Wed, 17 Oct 2012 09:32:14 +0200, Mark Nottingham <mnot@mnot.net> 
> wrote:
>
>> Um, no.
>>
>> Not only will this retroactively make all intermediary caches 
>> non-conformant, it'll also make them completely useless, because of 
>> the large (and unnecessary) amount of variance in User-Agent headers.
>
> OK, I can see now that it would make them useless.
>
>> I understand there are security issues here caused by CORS,
>
> The security issue under discussion in the referenced thread would 
> materialize if browsers start allowing changing the User-Agent header 
> in XHR without sanitizing it. However, that's not the reason I sent 
> the email. The reason is that bz argued that intermediary caches are 
> broken, which they are for pages on the Web that vary but don't say 
> they vary, however that's not actually limited to the User-Agent 
> header and is not a valid reason to require intermediary caches be 
> useless instead of broken.
>
> Also see 
> http://lists.w3.org/Archives/Public/public-webapps/2012OctDec/0216.html

Exactly. Vary is mandatory for resources with negitiated variations - 
even if it is the nasty "Vary: *". Servers which omit it while varying 
the representation are non-compliant with HTTP already - thus the broken 
complainants have no ground to stand on.

However, if you were to propose an implicit Vary:ETag that would be 
another matter entirely and something I wholeheartedly support. Although 
the smart servers already do that anyway.

AYJ
Received on Wednesday, 17 October 2012 09:29:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 17 October 2012 09:29:40 GMT