Re: Invalidation after updates or deletions

On Mon, 17 Jul 2006, Mark Nottingham wrote:

> RFC2616 says that POST, PUT, DELETE and unrecognised request methods passing 
> through a cache MUST invalidate one or more cache entries (depending on the 
> values of the Location and Content-Location headers).
> In my informal (and not yet complete) testing, I've only found one cache 
> implementation -- client or intermediary -- that actually does this. I've 
> tried to engage various vendors, etc. to fix it, but haven't seen much 
> interest.

Good, my implementation seems to behave properly (although I didn't check 
with Location and Content-Location).

In 13.10, there is also a paragraph about DoS invalidation attacks using 
fake Content-Location, and there is a assumption about "domain of control"
of URIs:

    In order to prevent denial of service attacks, an invalidation based
    on the URI in a Location or Content-Location header MUST only be
    performed if the host part is the same as in the Request-URI.
As having the same host does not mandate any kind of exclusive control 
over the content of a web server, should we downgrade this MUST in a 
SHOULD ? (or even delete it and put warning text about possible DoS 

Yves Lafon - W3C
"Baroula que barouleras, au tiéu toujou t'entourneras."

Received on Tuesday, 18 July 2006 10:03:23 UTC