- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 12 May 2010 13:02:05 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Tyler Close" <tyler.close@gmail.com>, "Maciej Stachowiak" <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, "WebApps WG" <public-webapps@w3.org>
Thanks a lot for explaining this Jonas! In theory this seems like a bug in the server for not sending the appropriate Vary header, but it makes sense to not rely on the server for doing the right thing. However, it seems this means we end up with three separate caches. One for requests including user credentials, one for requests excluding user credentials but including Origin/Referer, and one for requests excluding user credentials and Origin/Referer. Is there really no way we can drop withCredentials on the floor at this point and encourage people to use AnonXMLHttpRequest() instead? withCredentials is annoying inconsistent depending on whether the request is same-origin or not and really not that good of a feature. Dropping it would not make sites insecure as they would still need to include Access-Control-Allow-Credentials. I think this would give authors a much simpler and consistent API. Either you use AnonXMLHttpRequest which excludes user credentials and Origin/Referer or you use XMLHttpRequest. And the request semantics of both would not depend on other variables. On Wed, 12 May 2010 00:12:30 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > The problem with cache is as follows: > > [...] > > The solution is to use separate HTTP caches for cookie-enabled and > cookie-less requests (or to include the 'cookies enabled' flag as part > of the key to the cache). > > The mozilla implementation similarly never reuses HTTP keep-alive > connections between cookie-enabled and cookie-less requests. Nor > shares ssh connections for https requests between cookie-enabled and > cookie-less requests. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 12 May 2010 11:03:13 UTC