- From: David Morris <dwm@xpasc.com>
- Date: Sun, 17 Oct 2010 18:34:52 -0700 (PDT)
- cc: HTTP Working Group <ietf-http-wg@w3.org>
On Sun, 17 Oct 2010, Eric J. Bowman wrote: > David Morris wrote: > > > > But if the application author went to the trouble of making > > such a request, then we should err on the side of privacy and > > preclude any use of storage for the request or response. > > > > Why are you assuming it's the application author making the request? Because that is the only likely source of such a header on a request. No reason for a browser to add this flag on its own. A tool such as wget or curl might add the header flag as a consequence of human direction. The pure definition is no use of storage. I see no reason to contaminate that definition. > > > > > I'd argue that to not be true. NO-STORE is a privacy oriented > > directive and I don't think we have the ability to discern all the > > small leaks that might occur given the clever black hats that abound. > > The safe path is no use of storage. > > > > But in this case, the sender intent explicitly allows caching. If the > application author wants to change a representation to never be stored, > then the server configuration needs changed, which isn't the intent of > no-store in a request. In fact, I think the clever black-hats might > find it useful to know that a DDoS can get around cached responses by > just invalidating them in the initial requests. No, there is no invalidation of a cache here ... the cache should be ignored ... no use of storage (aka no-store) is just that, this request is processed without reference to the current content of the cache. So the only DoS is w.r.t. the current request.
Received on Monday, 18 October 2010 01:35:26 UTC