W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR2] AnonXMLHttpRequest()

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 3 Feb 2010 11:30:51 -0800
Message-ID: <63df84f1002031130u147136afj60b822d5a8c67bce@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Wed, Feb 3, 2010 at 10:12 AM, Tyler Close <tyler.close@gmail.com> wrote:
> On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <jonas@sicking.cc> wrote:
>> Another thing that might be worth noting is that if the UA contains a
>> HTTP cache (which most popular UAs do), the UA must never use a cached
>> response that was the result of a request that was made with
>> credentials, when making a request without. The same goes the other
>> way around.
>
> I gather this is because sites do not reliably use the Vary header?

I think so yes.

> When processing a credential-less request, do you use a conditional
> GET to validate an existing cache entry that was first retrieved over
> a connection that used credentials?

The way we do it is that we use the credentials flag as part of the
cache key, along with the url. The effect is that there's a cache used
for "normal" requests, and a separate cache used for "credentials
free" requests.

/ Jonas
Received on Wednesday, 3 February 2010 19:31:46 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT