W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR2] AnonXMLHttpRequest()

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 3 Feb 2010 10:12:37 -0800
Message-ID: <5691356f1002031012y7d5a666u3825347dcb761ead@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> Another thing that might be worth noting is that if the UA contains a
> HTTP cache (which most popular UAs do), the UA must never use a cached
> response that was the result of a request that was made with
> credentials, when making a request without. The same goes the other
> way around.

I gather this is because sites do not reliably use the Vary header?

When processing a credential-less request, do you use a conditional
GET to validate an existing cache entry that was first retrieved over
a connection that used credentials?

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 3 February 2010 18:13:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT