W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR2] AnonXMLHttpRequest()

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 03 Feb 2010 14:34:02 -0800
Cc: Tyler Close <tyler.close@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
Message-id: <29DD6491-16E8-4C0F-A007-364487D907EC@apple.com>
To: Julian Reschke <julian.reschke@gmx.de>

On Feb 3, 2010, at 2:12 PM, Julian Reschke wrote:

>> AFAICT, RFC 2616 only does a special case for the Authorization
>> header, which leaves me wondering what shared caches do for other
>> kinds of credentials, such as cookies or the NTLM authentication that
> Cookies require
>  Vary: Cookie
> on the response. Or something more drastic.
>> Jonas referred to. For example, if an origin server responds to a
>> request with cookies by sending a response with no Vary header and no
>> Cache-Control: private or other disabling of caching, would the proxy
>> use the response to respond to a later request without cookies? Do
> If it follows the applicable specs to the letter, yes (I believe).
>> proxies commonly implement a special case for the Cookie header,
>> similar to the Authorization header? Do origin servers commonly have
>> this bug?
> That would be interesting to find out.
> We know that "Vary" doesn't work well in practice because of all the bugs^^^^shortcomings in IE.

I don't think I've ever seen a Web server send "Vary: Cookie". I don't know offhand if they consistently send enough cache control headers to prevent caching across users.

Received on Wednesday, 3 February 2010 22:34:37 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 14:36:41 UTC