Re: [XHR2] AnonXMLHttpRequest()

On Feb 3, 2010, at 2:12 PM, Julian Reschke wrote:

>> AFAICT, RFC 2616 only does a special case for the Authorization
>> header, which leaves me wondering what shared caches do for other
>> kinds of credentials, such as cookies or the NTLM authentication that
> 
> Cookies require
> 
>  Vary: Cookie
> 
> on the response. Or something more drastic.
> 
>> Jonas referred to. For example, if an origin server responds to a
>> request with cookies by sending a response with no Vary header and no
>> Cache-Control: private or other disabling of caching, would the proxy
>> use the response to respond to a later request without cookies? Do
> 
> If it follows the applicable specs to the letter, yes (I believe).
> 
>> proxies commonly implement a special case for the Cookie header,
>> similar to the Authorization header? Do origin servers commonly have
>> this bug?
> 
> That would be interesting to find out.
> 
> We know that "Vary" doesn't work well in practice because of all the bugs^^^^shortcomings in IE.

I don't think I've ever seen a Web server send "Vary: Cookie". I don't know offhand if they consistently send enough cache control headers to prevent caching across users.

Regards,
Maciej

Received on Wednesday, 3 February 2010 22:34:37 UTC