- From: Martin Atkins <mart@degeneration.co.uk>
- Date: Wed, 26 Nov 2008 14:40:33 -0800
Julian Reschke wrote:
>
> You can already handle the case of content that's available
> unauthenticated, but would potentially differ in case of being
> authenticated by adding
>
> Vary: Authorization
>
> to a response.
>
According to section 14.8 of the HTTP 1.1 specification, the presence of
the Authorization header field implies that the response varies by
Authorization:
When a shared cache (see section 13.7) receives a request
containing an Authorization field, it MUST NOT return the
corresponding response as a reply to any other request, unless one
of the following specific exceptions holds:
[some exceptions in the presence of cache-control directives]
My understanding of this is that "Vary: Authorization" is effectively
implied for all HTTP responses.
Received on Wednesday, 26 November 2008 14:40:33 UTC