- From: Mark Nottingham <notifications@github.com>
- Date: Mon, 27 Feb 2017 16:06:33 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 28 February 2017 00:07:38 UTC
Thinking out loud: I'd really like to fix this for all caches, not just browser caches -- although it might be that the first step is spec'ing it in Fetch, it'd be great if the approach taken can be backported to 7234. I don't think using _credentials flag_ or even _credentials mode_ is adequate. For example, with either, if I browse using two different client certs or session cookies, there is going to be intermingling between them in the cache. Instead, the actual credential has to be part of the cache key. That means: - HTTP authentication - Cookies - TLS client certs The sticky part here is cookies; if we start making them part of the cache key for all responses, cache efficiency is going to bomb, because lots of cookies aren't credentials. Flagging content with credentials (e.g., with a new `Set-Cookie` parameter, or using the `Key` header) probably won't be sufficient to meet the security requirements here. Doing the opposite -- flagging responses whose cookies *aren't* credentials -- might work. `Cache-Control: public` sort of works this way already for the `Authentication` header -- WDYT? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/307#issuecomment-282898783
Received on Tuesday, 28 February 2017 00:07:38 UTC