W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR2] AnonXMLHttpRequest()

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 3 Feb 2010 12:19:35 -0800
Message-ID: <5691356f1002031219w21e7ae3eyaed9557df7a7ee00@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Wed, Feb 3, 2010 at 11:30 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Wed, Feb 3, 2010 at 10:12 AM, Tyler Close <tyler.close@gmail.com> wrote:
>> On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <jonas@sicking.cc> wrote:
>>> Another thing that might be worth noting is that if the UA contains a
>>> HTTP cache (which most popular UAs do), the UA must never use a cached
>>> response that was the result of a request that was made with
>>> credentials, when making a request without. The same goes the other
>>> way around.
>>
>> I gather this is because sites do not reliably use the Vary header?
>
> I think so yes.
>
>> When processing a credential-less request, do you use a conditional
>> GET to validate an existing cache entry that was first retrieved over
>> a connection that used credentials?
>
> The way we do it is that we use the credentials flag as part of the
> cache key, along with the url. The effect is that there's a cache used
> for "normal" requests, and a separate cache used for "credentials
> free" requests.

Do you use any special Cache-Control headers to ensure a proxy does
not respond with an entry cached from a request with credentials?

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 3 February 2010 20:20:10 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT