- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 25 Feb 2009 17:40:30 +0900
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "WebApps WG" <public-webapps@w3.org>
On Fri, 13 Feb 2009 04:57:19 +0900, Jonas Sicking <jonas@sicking.cc> wrote: > On Thu, Feb 12, 2009 at 8:19 AM, Anne van Kesteren <annevk@opera.com> > wrote: >> The specification does not state it yet, but it has been suggested that >> the maximum time any cache entry can persist in the preflight result >> cache >> should be 86400 seconds (i.e. 24 hours). It still seems rather low to >> me. If people still think we should limit it to this I will make it a >> recommendation in the specification (i.e. a should-level requirement). > > I seem to recall that we discussed using a solution like this: > > * Not mention particular limit in the definition for the > Access-Control-Max-Age > * Have a general rule that said that implementations are allowed to > discard entries from the cache at any point for security reasons. > (this would also allow emptying the cache when the user switches > network from a potentially MITMed cafe to a corporate network) > * Mention in the security considerations section that implementations > should consider having a limit. > > I'm a little hazy especially on the last point. Don't remember if we > agreed on recommending a particular limit or not. > > In the firefox implementation i've used 86400 seconds but would be > fine with changing that. I changed the specification to allow a limit, but no limit is suggested or required. Implementations are encouraged to set a limit though. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 25 February 2009 08:41:18 UTC