- From: Eric J. Bowman <eric@bisonsystems.net>
- Date: Sun, 17 Oct 2010 19:12:16 -0600
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Cc: David Morris <dwm@xpasc.com>
David Morris wrote: > > But if the application author went to the trouble of making > such a request, then we should err on the side of privacy and > preclude any use of storage for the request or response. > Why are you assuming it's the application author making the request? > > I'd argue that to not be true. NO-STORE is a privacy oriented > directive and I don't think we have the ability to discern all the > small leaks that might occur given the clever black hats that abound. > The safe path is no use of storage. > But in this case, the sender intent explicitly allows caching. If the application author wants to change a representation to never be stored, then the server configuration needs changed, which isn't the intent of no-store in a request. In fact, I think the clever black-hats might find it useful to know that a DDoS can get around cached responses by just invalidating them in the initial requests. -Eric
Received on Monday, 18 October 2010 01:12:52 UTC