W3C home > Mailing lists > Public > public-appformats@w3.org > November 2007

Re: Design issues for access-control

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Mon, 05 Nov 2007 10:39:53 +0100
To: Jonas Sicking <jonas@sicking.cc>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <e7lti3d7pv0o95enblj79trj569qu451uf@hive.bjoern.hoehrmann.de>

* Jonas Sicking wrote:
>Another thing that occurred to me is does HTTP caches take the full set 
>of request headers into account when caching? Otherwise it could be 
>directly harmful to include Referer-Root and Method-Check headers. The 
>cache might store an "authorize" reply when the request is made for 
>Referer-Root A and wrongly respond with the same document is checked for 
>Referer-Root B.

No, authors have to actively prevent improper caching of the response.
Ian suggested that "merely adding a Vary: header with the appropriate
values will remove that problem" so even Ian would fail to set this up
properly (e.g., Vary would have no effect on simple HTTP/1.0 caches).
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Monday, 5 November 2007 09:39:57 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:08 UTC