- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 17 Sep 2009 12:03:25 +1000
- To: HTTP Working Group <ietf-http-wg@w3.org>
#197: Effect of CC directives on history lists
--------------------------------
+-------------------------------------------
Reporter: mnot@pobox.com | Owner:
Type: design | Status: new
Priority: normal | Milestone: unassigned
Component: p6-cache | Version: 00-draft
Severity: Active WG Document | Keywords:
Origin: |
--------------------------------
+-------------------------------------------
Several browser vendors do or will soon respect CC: no-store and CC:
max-
age=0, must-revalidate for the purposes of history lists, because they
see
storing some responses in the history list as a security concern (e.g.,
something with credit card numbers on it).
However, 2616 says that a cache and a history list are separate, and
notes
that history lists should not unnecessarily prevent users from viewing
stale resources.
This is vague; the wording here implies that the history list has the
same
store as the cache, even though they are almost always implemented
separately, as the history list needs to incorporate browser-side
state as
well as resource state.
This section needs to be revised, and furthermore some means of control
over the history list needs to be provided; either
1. CC: no-store (and possibly other) directives apply to history
lists as
well, or
2. Some other history-specific directives need to be minted (out of
scope
for HTTPbis, but it can be discussed on-list)
See also:
https://bugs.webkit.org/show_bug.cgi?id=26777
https://bugzilla.mozilla.org/show_bug.cgi?id=441751#c58
http://blogs.imeta.co.uk/JDeabill/archive/2008/07/14/303.aspx
--
Ticket URL: <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/197>
httpbis <http://tools.ietf.org/wg/httpbis/>
--
Mark Nottingham http://www.mnot.net/
Received on Thursday, 17 September 2009 02:04:05 UTC