- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 3 Feb 2010 13:16:47 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Wed, Feb 3, 2010 at 12:19 PM, Tyler Close <tyler.close@gmail.com> wrote: > On Wed, Feb 3, 2010 at 11:30 AM, Jonas Sicking <jonas@sicking.cc> wrote: >> On Wed, Feb 3, 2010 at 10:12 AM, Tyler Close <tyler.close@gmail.com> wrote: >>> On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <jonas@sicking.cc> wrote: >>>> Another thing that might be worth noting is that if the UA contains a >>>> HTTP cache (which most popular UAs do), the UA must never use a cached >>>> response that was the result of a request that was made with >>>> credentials, when making a request without. The same goes the other >>>> way around. >>> >>> I gather this is because sites do not reliably use the Vary header? >> >> I think so yes. >> >>> When processing a credential-less request, do you use a conditional >>> GET to validate an existing cache entry that was first retrieved over >>> a connection that used credentials? >> >> The way we do it is that we use the credentials flag as part of the >> cache key, along with the url. The effect is that there's a cache used >> for "normal" requests, and a separate cache used for "credentials >> free" requests. > > Do you use any special Cache-Control headers to ensure a proxy does > not respond with an entry cached from a request with credentials? No. It seems to me that if a proxy uses cashed responses from requests made with different credentials, that proxy has enormous problems already. It would mean that if two users on different computers use the same proxy, they would see each others responses. I'm definitely interested in input on this though. / Jonas
Received on Wednesday, 3 February 2010 21:17:39 UTC