IETF Logo Mail Archive

Re: dont-revalidate Cache-Control header

Guille -bisho- <bishillo@gmail.com> Thu, 16 July 2015 20:06 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EC3A1A87BE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Jul 2015 13:06:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EC47NaFEJNfs for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Jul 2015 13:06:57 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA2E41A87AD for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 16 Jul 2015 13:06:57 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZFpNr-0000bL-Ng for ietf-http-wg-dist@listhub.w3.org; Thu, 16 Jul 2015 20:03:55 +0000
Resent-Date: Thu, 16 Jul 2015 20:03:55 +0000
Resent-Message-Id: <E1ZFpNr-0000bL-Ng@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <bishillo@gmail.com>) id 1ZFpNo-0000ae-8k for ietf-http-wg@listhub.w3.org; Thu, 16 Jul 2015 20:03:52 +0000
Received: from mail-ie0-f179.google.com ([209.85.223.179]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <bishillo@gmail.com>) id 1ZFpNm-0001z0-Vp for ietf-http-wg@w3.org; Thu, 16 Jul 2015 20:03:51 +0000
Received: by ietj16 with SMTP id j16so63664796iet.0 for <ietf-http-wg@w3.org>; Thu, 16 Jul 2015 13:03:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=KB0QP4QXpt2rzZnQpHMwzVXWcdeN8tEObesEZileU/M=; b=UYgqedXM0sdrvXcgX32VFz5UBhtKm3C57FfFmf2nDjt3k780mKQlyVunLDAxpvqGjz N5FNDXdH8XB/xS7nZ1pNLnKIFUgzCv9J2zmbqPvVF92aOJgooHQz+koFFPsH8WC+RQn9 oNp81LMt6d3CGcH9vEGiMRaiAhlNAMJGBazJWKjvwV7AnQVcbfBLkVDTIRBBnj7TdkZb 3qNwIRZ6LtwvwNLb6DXQvQ5EobaH7Vgra4D1VtO7W8tTb2oOTIQBKnsU5vKD9uvEw1SS tOlcZb4gtZ+zmCSw1MAqU/HOWCb4b0CbirmroT4Cm+w0YevA4YGgjW8zlpnpGREjeric CcLw==
X-Received: by 10.107.28.202 with SMTP id c193mr14223334ioc.90.1437077004576; Thu, 16 Jul 2015 13:03:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.142.200 with HTTP; Thu, 16 Jul 2015 13:03:05 -0700 (PDT)
In-Reply-To: <CABkgnnX3OMJ2=5AQcYHB9XeN0TEo0OTrcRmrpBujrqCNwnjOag@mail.gmail.com>
References: <CABgOVaLHBb4zcgvO4NUUmAzUjNkocBGYY3atFA9iuYyoLaLQsA@mail.gmail.com> <559F9E90.4020801@treenet.co.nz> <CABgOVaLG6QZyjqk2AGYupShST_u3ty9BpxUcPX+_yMEC1hyHAQ@mail.gmail.com> <961203FE-7E54-410F-923E-71C04914CD2E@mnot.net> <CABgOVaJxntEyT0v4GvWm0Qi9jbUPEnzxJgg4KyQSM1T_gN1mjQ@mail.gmail.com> <16407353-5C34-42E8-81A6-E0027EC3A0D0@mnot.net> <CABgOVa+C48yYp-ZkawY+Ho6pXONa_UfB0MVt_2+d0ejyESu2Pw@mail.gmail.com> <54973543-2406-4188-8DCD-AE3C85ACB76A@mnot.net> <CABgOVa+CrJ0qBGN-nBYZ2qpJo8X+wkYY-zYAqM6MjTom1QT+Bw@mail.gmail.com> <55A7A4F9.1010500@treenet.co.nz> <CABgOVaLnpnmd7JvY6O=tXXboVuvCCn-p1KLzu8wKVkg-yon79w@mail.gmail.com> <CAMSE37vmBJYkiC+c5+aMqWUvLtY4zOHDbhEJkm=K+=KbTyOO2A@mail.gmail.com> <CABkgnnXNAZdXUx_htq2owyP2CtyM-ERzZdbxM8WGWLrCeNQOaQ@mail.gmail.com> <CAMSE37v6qXzNquAqGPaHgVJYwfGeC+uE1hurc7g4wvoL1nvgkA@mail.gmail.com> <CABkgnnX3OMJ2=5AQcYHB9XeN0TEo0OTrcRmrpBujrqCNwnjOag@mail.gmail.com>
From: Guille -bisho- <bishillo@gmail.com>
Date: Thu, 16 Jul 2015 13:03:05 -0700
Message-ID: <CAMSE37uwbLokWApCUMtj5G9zW4p5RzY63XOx-+VeiRdouw3-SA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Ben Maurer <ben.maurer@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a113ff13c5f6cf5051b03900b"
Received-SPF: pass client-ip=209.85.223.179; envelope-from=bishillo@gmail.com; helo=mail-ie0-f179.google.com
X-W3C-Hub-Spam-Status: No, score=-5.3
X-W3C-Hub-Spam-Report: AWL=-0.584, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1ZFpNm-0001z0-Vp f239693036aba4da8c698f5a9f708f54
X-Original-To: ietf-http-wg@w3.org
Subject: Re: dont-revalidate Cache-Control header
Archived-At: <http://www.w3.org/mid/CAMSE37uwbLokWApCUMtj5G9zW4p5RzY63XOx-+VeiRdouw3-SA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29979
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

>
> > - If a page adds the header by mistake, can easily remove it.
>
> Who do you mean by "you" in this statement?


The domain owner. Imagine www.foo.com adds a header by mistake to not
revalidate from domain not-static.foo.com. If it's a mistake, they can
remove the header easily, and not-static.foo.com will have revalidations
again. The static behavior can be revoked with ease.

>
> > - A page can't self-reference their domain, so no risk of bricking
> yourself.
>
> But as proposed you would be able to pin index.html.  So I don't get
> this either.
>

No if we don't allow self-reference. www.foo.com can only disable
revalidations on other *different* domains and those are effective for
sub-resources only, no direct page navigations.

Imagine page a.com tries to use maliciously b.com/index.html as a
subresouce and request not revalidation. If b.com/index.html has a cache
control header, it will be obeyed, and client reloads on a.com won't cause
revalidation of b.com/index.html. But people browsing to b.com/index.html
will have the normal behavior, revalidations and so on.

So this will be simply let page-owner define what other domains are used
for static resources and should not be revalidated. The subresources still
need the usual ttls and cache headers. And direct browsing to the
subresources won't follow the non-revalidation policies.

It's exactly what facebook (and others need). Define the reload behavior,
but rather than doing it in the sub-resources, specify the behavior on the
hosting page directly.

-- 
Guille -ℬḭṩḩø- <bishillo@gmail.com>
:wq

v2.23.0 | Report a Bug | By Email