Re: Does no-store in request imply no-cache?

David Morris wrote:
> But if the application author went to the trouble of making
> such a request, then we should err on the side of privacy and
> preclude any use of storage for the request or response.

Why are you assuming it's the application author making the request?

> I'd argue that to not be true. NO-STORE is a privacy oriented
> directive and I don't think we have the ability to discern all the
> small leaks that might occur given the clever black hats that abound.
> The safe path is no use of storage.

But in this case, the sender intent explicitly allows caching.  If the
application author wants to change a representation to never be stored,
then the server configuration needs changed, which isn't the intent of
no-store in a request.  In fact, I think the clever black-hats might
find it useful to know that a DDoS can get around cached responses by
just invalidating them in the initial requests.


Received on Monday, 18 October 2010 01:12:52 UTC