- From: Martin Atkins <mart@degeneration.co.uk>
- Date: Wed, 26 Nov 2008 14:40:33 -0800
Julian Reschke wrote: > > You can already handle the case of content that's available > unauthenticated, but would potentially differ in case of being > authenticated by adding > > Vary: Authorization > > to a response. > According to section 14.8 of the HTTP 1.1 specification, the presence of the Authorization header field implies that the response varies by Authorization: When a shared cache (see section 13.7) receives a request containing an Authorization field, it MUST NOT return the corresponding response as a reply to any other request, unless one of the following specific exceptions holds: [some exceptions in the presence of cache-control directives] My understanding of this is that "Vary: Authorization" is effectively implied for all HTTP responses.
Received on Wednesday, 26 November 2008 14:40:33 UTC