Re: [cors] cache-max-age: just 86400s?

On Thu, Feb 12, 2009 at 8:19 AM, Anne van Kesteren <annevk@opera.com> wrote:
>
> The specification does not state it yet, but it has been suggested that the
> maximum time any cache entry can persist in the preflight result cache
> should be 86400 seconds (i.e. 24 hours). It still seems rather low to me. If
> people still think we should limit it to this I will make it a
> recommendation in the specification (i.e. a should-level requirement).

I seem to recall that we discussed using a solution like this:

* Not mention particular limit in the definition for the Access-Control-Max-Age
* Have a general rule that said that implementations are allowed to
discard entries from the cache at any point for security reasons.
(this would also allow emptying the cache when the user switches
network from a potentially MITMed cafe to a corporate network)
* Mention in the security considerations section that implementations
should consider having a limit.

I'm a little hazy especially on the last point. Don't remember if we
agreed on recommending a particular limit or not.

In the firefox implementation i've used 86400 seconds but would be
fine with changing that.

/ Jonas

Received on Thursday, 12 February 2009 19:57:53 UTC