W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR2] AnonXMLHttpRequest()

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 03 Feb 2010 14:34:02 -0800
Cc: Tyler Close <tyler.close@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
Message-id: <29DD6491-16E8-4C0F-A007-364487D907EC@apple.com>
To: Julian Reschke <julian.reschke@gmx.de>

On Feb 3, 2010, at 2:12 PM, Julian Reschke wrote:

>> AFAICT, RFC 2616 only does a special case for the Authorization
>> header, which leaves me wondering what shared caches do for other
>> kinds of credentials, such as cookies or the NTLM authentication that
> 
> Cookies require
> 
>  Vary: Cookie
> 
> on the response. Or something more drastic.
> 
>> Jonas referred to. For example, if an origin server responds to a
>> request with cookies by sending a response with no Vary header and no
>> Cache-Control: private or other disabling of caching, would the proxy
>> use the response to respond to a later request without cookies? Do
> 
> If it follows the applicable specs to the letter, yes (I believe).
> 
>> proxies commonly implement a special case for the Cookie header,
>> similar to the Authorization header? Do origin servers commonly have
>> this bug?
> 
> That would be interesting to find out.
> 
> We know that "Vary" doesn't work well in practice because of all the bugs^^^^shortcomings in IE.

I don't think I've ever seen a Web server send "Vary: Cookie". I don't know offhand if they consistently send enough cache control headers to prevent caching across users.

Regards,
Maciej
Received on Wednesday, 3 February 2010 22:34:37 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT