- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Tue, 26 Jul 2011 13:35:46 +1200
- To: <ietf-http-wg@w3.org>
On Tue, 26 Jul 2011 10:13:11 +1000, Manger, James H wrote: >>On Mon, Jul 25, 2011 at 11:54:07PM +0200, Julian Reschke wrote: >>> Maybe...: >>> >>> Use of the Authorization header to transfer credentials implies >>> "Cache-Control: private" [ref] and thus affects cacheability of >>> responses. Thus, definitions of new authentication schemes that do >>> not >>> use "Authorization" will need to ensure that response messages do >>> not >>> leak in an unintended way, for instance by specifying >>> "Cache-Control" or >>> "Vary: *" [ref] explicitly. >>> >>> Feedback appreciated, > >>I can read the first sentence in two ways : >> - if a server or intermediary receives an Authorization header, it >> must >> assume that "Cache-Control: private" is implied >> - if a client wants to emit an Authorization header, it must also >> add >> a "Cache-Control: private" header >> >>I think the former was meant given the second sentence, though I'm >> not >>100% certain. If so, maybe we should focus on the recipient of the >> message >>and replace "Use of" with "Presence of" (or anything equivalent). >> >>The second part is clear enough however. > > > The first sentence should be read a 3rd way: > - if an Authorization header is present in a request, the > corresponding > response MUST be treated as though it includes "Cache-Control: > private", > unless it explicitly includes a Cache-Control header That wording in turn implies "Cache-Control: something-new" reverts the object to public access. Not a good idea IMHO to premise it on the existing of the header field. "unless it explicitly includes Cache-Control: public" would be better wording. AYJ > > draft-ietf-httpbis-p7-auth-15#section-4.1 already contains 20 lines > of text (1 paragraph plus 3 dot points) about caching when a request > includes an Authorization header. This shouldn't be paraphrased > immediately after that text with the first sentence above "... > implies > Cache-Control: private...". I am not sure that the 20 lines are > totally consistent with this first sentence. > > Perhaps the existing 20 lines were going to be removed, to be > replaced with a single sentence about implying "Cache-Control: > private" by default? That sounds ok to me, as long as the first > sentence makes it clear that "Cache-Control: private" is implied for > the corresponding response. > > Alternatively, if the existing 20 lines are kept, then just add the > 2nd sentence of the Julian's text as a new paragraph at the end of > section 4.1 [draft-ietf-httpbis-p7-auth-15#section-4.1]: > > Use of authentication schemes that do not > use "Authorization" will need to ensure that response messages do > not > leak in an unintended way, for instance by specifying > "Cache-Control" or > "Vary: *" [ref] explicitly. > > -- > James Manger
Received on Tuesday, 26 July 2011 01:36:23 UTC