W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [cors] cache-max-age: just 86400s?

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 25 Feb 2009 17:40:30 +0900
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.upwfpsin64w2qv@annevk-t60.oslo.opera.com>
On Fri, 13 Feb 2009 04:57:19 +0900, Jonas Sicking <jonas@sicking.cc> wrote:
> On Thu, Feb 12, 2009 at 8:19 AM, Anne van Kesteren <annevk@opera.com>  
> wrote:
>> The specification does not state it yet, but it has been suggested that  
>> the maximum time any cache entry can persist in the preflight result  
>> cache
>> should be 86400 seconds (i.e. 24 hours). It still seems rather low to  
>> me. If people still think we should limit it to this I will make it a
>> recommendation in the specification (i.e. a should-level requirement).
> I seem to recall that we discussed using a solution like this:
> * Not mention particular limit in the definition for the  
> Access-Control-Max-Age
> * Have a general rule that said that implementations are allowed to
> discard entries from the cache at any point for security reasons.
> (this would also allow emptying the cache when the user switches
> network from a potentially MITMed cafe to a corporate network)
> * Mention in the security considerations section that implementations
> should consider having a limit.
> I'm a little hazy especially on the last point. Don't remember if we
> agreed on recommending a particular limit or not.
> In the firefox implementation i've used 86400 seconds but would be
> fine with changing that.

I changed the specification to allow a limit, but no limit is suggested or  
required. Implementations are encouraged to set a limit though.

Anne van Kesteren
Received on Wednesday, 25 February 2009 08:41:18 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:14 UTC