- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 26 Jul 2011 00:44:02 +0200
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Julian,
On Mon, Jul 25, 2011 at 11:54:07PM +0200, Julian Reschke wrote:
> Maybe...:
>
> Use of the Authorization header to transfer credentials implies
> "Cache-Control: private" [ref] and thus affects cacheability of
> responses. Thus, definitions of new authentication schemes that do not
> use "Authorization" will need to ensure that response messages do not
> leak in an unintended way, for instance by specifying "Cache-Control" or
> "Vary: *" [ref] explicitly.
>
> Feedback appreciated,
I can read the first sentence in two ways :
- if a server or intermediary receives an Authorization header, it must
assume that "Cache-Control: private" is implied
- if a client wants to emit an Authorization header, it must also add
a "Cache-Control: private" header
I think the former was meant given the second sentence, though I'm not
100% certain. If so, maybe we should focus on the recipient of the message
and replace "Use of" with "Presence of" (or anything equivalent).
The second part is clear enough however.
Regards,
Willy
Received on Monday, 25 July 2011 22:44:40 UTC