- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 3 Feb 2010 11:30:51 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Wed, Feb 3, 2010 at 10:12 AM, Tyler Close <tyler.close@gmail.com> wrote: > On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <jonas@sicking.cc> wrote: >> Another thing that might be worth noting is that if the UA contains a >> HTTP cache (which most popular UAs do), the UA must never use a cached >> response that was the result of a request that was made with >> credentials, when making a request without. The same goes the other >> way around. > > I gather this is because sites do not reliably use the Vary header? I think so yes. > When processing a credential-less request, do you use a conditional > GET to validate an existing cache entry that was first retrieved over > a connection that used credentials? The way we do it is that we use the credentials flag as part of the cache key, along with the url. The effect is that there's a cache used for "normal" requests, and a separate cache used for "credentials free" requests. / Jonas
Received on Wednesday, 3 February 2010 19:31:46 UTC