- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 12 Feb 2009 11:57:19 -0800
- To: Anne van Kesteren <annevk@opera.com>
- Cc: WebApps WG <public-webapps@w3.org>
On Thu, Feb 12, 2009 at 8:19 AM, Anne van Kesteren <annevk@opera.com> wrote: > > The specification does not state it yet, but it has been suggested that the > maximum time any cache entry can persist in the preflight result cache > should be 86400 seconds (i.e. 24 hours). It still seems rather low to me. If > people still think we should limit it to this I will make it a > recommendation in the specification (i.e. a should-level requirement). I seem to recall that we discussed using a solution like this: * Not mention particular limit in the definition for the Access-Control-Max-Age * Have a general rule that said that implementations are allowed to discard entries from the cache at any point for security reasons. (this would also allow emptying the cache when the user switches network from a potentially MITMed cafe to a corporate network) * Mention in the security considerations section that implementations should consider having a limit. I'm a little hazy especially on the last point. Don't remember if we agreed on recommending a particular limit or not. In the firefox implementation i've used 86400 seconds but would be fine with changing that. / Jonas
Received on Thursday, 12 February 2009 19:57:53 UTC