Re: [XHR2] AnonXMLHttpRequest()

On Wed, Feb 3, 2010 at 11:30 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Wed, Feb 3, 2010 at 10:12 AM, Tyler Close <tyler.close@gmail.com> wrote:
>> On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <jonas@sicking.cc> wrote:
>>> Another thing that might be worth noting is that if the UA contains a
>>> HTTP cache (which most popular UAs do), the UA must never use a cached
>>> response that was the result of a request that was made with
>>> credentials, when making a request without. The same goes the other
>>> way around.
>>
>> I gather this is because sites do not reliably use the Vary header?
>
> I think so yes.
>
>> When processing a credential-less request, do you use a conditional
>> GET to validate an existing cache entry that was first retrieved over
>> a connection that used credentials?
>
> The way we do it is that we use the credentials flag as part of the
> cache key, along with the url. The effect is that there's a cache used
> for "normal" requests, and a separate cache used for "credentials
> free" requests.

Do you use any special Cache-Control headers to ensure a proxy does
not respond with an entry cached from a request with credentials?

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Wednesday, 3 February 2010 20:20:10 UTC