Re: Does no-store in request imply no-cache? from Mark Nottingham on 2010-10-18 (ietf-http-wg@w3.org from October to December 2010)

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 18 Oct 2010 11:09:01 +1100
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <88D75BCE-D7E1-4FE1-900D-A7BFEC392434@mnot.net>

Right, but that's largely orthogonal to the question below; whether no-store in a request implies that a previously stored response needs to be invalidated.

Cheers,


On 18/10/2010, at 11:05 AM, David Morris wrote:

> 
> I interpret NOSTORE as a stricter restriction than NOCACHE.
> If it can't be stored, it can't be used in a subsequent
> response.
> 
> If I recall the discussion from 10 years ago correctly, the
> intent was to reduce the posibility that private information
> could leak via even temporary storage.
> 
> Dave Morris
> 
> On Mon, 18 Oct 2010, Mark Nottingham wrote:
> 
>> Thoughts re: the below?
>> 
>> My inclination is to clarify "any response to it" so that a cache can
>> use the same cached response to serve multiple requests with no-store in
>> them (or not).
>> 
>> Cheers,
>> 
>> 
>> Begin forwarded message:
>> 
>>> From: Alex Rousskov <rousskov@measurement-factory.com>
>>> Date: 23 September 2010 9:47:57 AM AEST
>>> To: Mark Nottingham <mnot@yahoo-inc.com>
>>> Cc: Squid Developers <squid-dev@squid-cache.org>
>>> Subject: Re: Does no-store in request imply no-cache?
>>> 
>>> On 09/22/2010 05:05 PM, Mark Nottingham wrote:
>>> 
>>>> Strictly, as a request directive it means "you can't store the
>>>> response to this request" -- it says nothing about whether or not you
>>>> can satisfy the request from a cache.
>>> 
>>> Hi Mark,
>>> 
>>>   Let's assume the above is correct and Squid satisfied the no-store 
>>> request from the cache. Should Squid purge the cached response afterwards?
>>> 
>>> If Squid does not purge, the next regular request will get the same 
>>> cached response as the no-store request got, kind of violating the "MUST 
>>> NOT store any response to it" no-store requirement.
>>> 
>>> If Squid purges, it is kind of silly because earlier requests could have 
>>> gotten the same "sensitive" information before the no-store request came 
>>> and declared the already cached information "sensitive".
>>> 
>>> Thank you,
>>> 
>>> Alex.
>>> 
>>> 
>>>> See also:
>>>> http://tools.ietf.org/html/draft-ietf-httpbis-p6-cache-11#section-3.2.1
>>>> 
>>>> 
>>>> On 23/09/2010, at 4:27 AM, Alex Rousskov wrote:
>>>> 
>>>>> Hello,
>>>>> 
>>>>>   One interpretation of RFC 2616 allows the proxy to serve hits when
>>>>> the request contains "Cache-Control: no-store". Do you think such an
>>>>> interpretation is valid?
>>>>> 
>>>>> no-store
>>>>>     The purpose of the no-store directive is to prevent the
>>>>>     inadvertent release or retention of sensitive information (for
>>>>>     example, on backup tapes). The no-store directive applies to the
>>>>>     entire message, and MAY be sent either in a response or in a
>>>>>     request. If sent in a request, a cache MUST NOT store any part of
>>>>>     either this request or any response to it.
>>>>> 
>>>>> Thank you,
>>>>> 
>>>>> Alex.
>> 
>> --
>> Mark Nottingham   http://www.mnot.net/
>> 
>> 
>> 
>> 
> 

--
Mark Nottingham   http://www.mnot.net/

Received on Monday, 18 October 2010 00:09:33 UTC