Re: [XHR2] AnonXMLHttpRequest()

On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> Another thing that might be worth noting is that if the UA contains a
> HTTP cache (which most popular UAs do), the UA must never use a cached
> response that was the result of a request that was made with
> credentials, when making a request without. The same goes the other
> way around.

I gather this is because sites do not reliably use the Vary header?

When processing a credential-less request, do you use a conditional
GET to validate an existing cache entry that was first retrieved over
a connection that used credentials?

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Wednesday, 3 February 2010 18:13:11 UTC