Re: no-vary: security - cache poisoning from David Benjamin on 2026-01-18 (ietf-http-wg@w3.org from January to March 2026)

From: David Benjamin <davidben@chromium.org>
Date: Sun, 18 Jan 2026 12:39:34 -0500
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAF8qwaDni95+CZEb5iFktcO-N9=fHLatkjsWrETnpwN+XXb4xg@mail.gmail.com>

Wouldn't such an intermediary also be able to poison a cache by sending
other caching headers wrong or the wrong content? I think that's just
generally part of the threat model for caches and intermediaries, unless
I'm missing something here

On Sun, Jan 18, 2026, 11:07 Julian Reschke <julian.reschke@gmx.de> wrote:

> Am 30.09.2025 um 05:20 schrieb Tommy Pauly:
> > Hello HTTP,
> >
> > This email starts a Working Group Last Call for draft-ietf-httpbis-no-
> > vary-search-03.
> > ...
>
> Can an intermediary cause cache poisoning in the recipients by marking
> additional parameters as irrelevant?
>
> Best regards, Julian
>
>

Received on Sunday, 18 January 2026 17:39:51 UTC