- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 3 Feb 2010 12:19:35 -0800
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Wed, Feb 3, 2010 at 11:30 AM, Jonas Sicking <jonas@sicking.cc> wrote: > On Wed, Feb 3, 2010 at 10:12 AM, Tyler Close <tyler.close@gmail.com> wrote: >> On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <jonas@sicking.cc> wrote: >>> Another thing that might be worth noting is that if the UA contains a >>> HTTP cache (which most popular UAs do), the UA must never use a cached >>> response that was the result of a request that was made with >>> credentials, when making a request without. The same goes the other >>> way around. >> >> I gather this is because sites do not reliably use the Vary header? > > I think so yes. > >> When processing a credential-less request, do you use a conditional >> GET to validate an existing cache entry that was first retrieved over >> a connection that used credentials? > > The way we do it is that we use the credentials flag as part of the > cache key, along with the url. The effect is that there's a cache used > for "normal" requests, and a separate cache used for "credentials > free" requests. Do you use any special Cache-Control headers to ensure a proxy does not respond with an entry cached from a request with credentials? --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 3 February 2010 20:20:10 UTC