- From: Mark Baker <mark@zepheira.com>
- Date: Tue, 16 Oct 2012 13:04:52 -0400
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>, Jungkee Song <jungkee.song@samsung.com>, Julian Aubourg <j@ubourg.net>, public-webapps@w3.org
On Tue, Oct 16, 2012 at 11:21 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > Again, "Vary: User-Agent" is the answer here, from the browser's point of > view. Agreed. > I agree that this would be good to discuss in a security implications > section. The spec could even require that responses to XHR with custom UA > simply not be cached, if we want to play it safe. That would be an improvement, but wouldn't solve the problem of intermediary cache poisoning. Julian Aubourg wrote; > Couldn't we simply state in the spec that browsers must add the User-Agent header to the Vary list, all the time? Vary is a response header, set by the server. Mark.
Received on Tuesday, 16 October 2012 17:05:23 UTC