On Sat, Jan 28, 2012 at 9:25 PM, Benjamin Hawkes-Lewis < bhawkeslewis@googlemail.com> wrote: > 2012/1/27 Samuel Santos <samaxes@gmail.com>: > >> * History navigation (Back button) should always read POSTed pages from > >> cache, even if pages had Cache-Control: no-cache set (this is > >> RFC-compliant). This way there is no unexpected resubmission happening > >> automatically, and—unless user forces browser to clear the cache—there > is no > >> need to ask any questions or switch to GET. > > > > > > That should not work with HTTPS. > > Says what? > > > If it does, it's a serious security issue. > > How so? > SSL+no-cache is just like no-store for purposes of history code. And unfortunately, that behavior is needed to make existing bank sites secure (in the "someone who walks up to the computer after you click the logout link can't just go back through history to the site"). > > -- > Benjamin Hawkes-Lewis > -- Samuel Santos http://www.samaxes.com/
Received on Saturday, 28 January 2012 23:30:07 UTC