- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 3 Feb 2010 10:12:37 -0800
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <jonas@sicking.cc> wrote: > Another thing that might be worth noting is that if the UA contains a > HTTP cache (which most popular UAs do), the UA must never use a cached > response that was the result of a request that was made with > credentials, when making a request without. The same goes the other > way around. I gather this is because sites do not reliably use the Vary header? When processing a credential-less request, do you use a conditional GET to validate an existing cache entry that was first retrieved over a connection that used credentials? --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 3 February 2010 18:13:11 UTC