IETF Logo Mail Archive

Re: dont-revalidate Cache-Control header

Ben Maurer <ben.maurer@gmail.com> Sat, 11 July 2015 18:02 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C50781A90FD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 11 Jul 2015 11:02:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XDszLiP_JhVl for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 11 Jul 2015 11:02:13 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03F941A90FA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 11 Jul 2015 11:02:12 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZDz2o-0002Op-UX for ietf-http-wg-dist@listhub.w3.org; Sat, 11 Jul 2015 17:58:34 +0000
Resent-Date: Sat, 11 Jul 2015 17:58:34 +0000
Resent-Message-Id: <E1ZDz2o-0002Op-UX@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ben.maurer@gmail.com>) id 1ZDz2j-0002Nm-0k for ietf-http-wg@listhub.w3.org; Sat, 11 Jul 2015 17:58:29 +0000
Received: from mail-lb0-f180.google.com ([209.85.217.180]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <ben.maurer@gmail.com>) id 1ZDz2h-0003p1-8v for ietf-http-wg@w3.org; Sat, 11 Jul 2015 17:58:28 +0000
Received: by lblf12 with SMTP id f12so37413305lbl.2 for <ietf-http-wg@w3.org>; Sat, 11 Jul 2015 10:58:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nkXSb0QV/6M1NPNb0SMfPLq8Mc/AWm4KZrD7wBuhDI4=; b=YbwsrDDNS5h2OB+TmQtlzn6DZl5301dQ5Y7ujnl2UOZ7wT0aMnPFULTaJATZTHj9w9 ePXS2xrM3TpD+moYNP6CWkLLmm+CLQ5zf0M6KWw1ej7jLTa1JxI9lRIbY9mgxfqcjrjq sQzAqG7zOuJ9BOEWGUWdhk2Sk+9EI8yUzhZ21JZ5E70MKCMCuPCZ9/LBd3OJg4087DAZ c5fqWzaK2ZhcPeI7ckTU/o71qSB+W/EYwrJobzuQPpuo3heAsgv50eQpU7A7tv1NooGF SMPymKz/EIaF3t/bisMK48q8SNdvbAoRZi2vSBlODvRucvjwdrA4lqFg9B66/oG8O60p cfHw==
MIME-Version: 1.0
X-Received: by 10.152.181.34 with SMTP id dt2mr24732476lac.84.1436637480319; Sat, 11 Jul 2015 10:58:00 -0700 (PDT)
Received: by 10.25.163.147 with HTTP; Sat, 11 Jul 2015 10:58:00 -0700 (PDT)
In-Reply-To: <961203FE-7E54-410F-923E-71C04914CD2E@mnot.net>
References: <CABgOVaLHBb4zcgvO4NUUmAzUjNkocBGYY3atFA9iuYyoLaLQsA@mail.gmail.com> <559F9E90.4020801@treenet.co.nz> <CABgOVaLG6QZyjqk2AGYupShST_u3ty9BpxUcPX+_yMEC1hyHAQ@mail.gmail.com> <961203FE-7E54-410F-923E-71C04914CD2E@mnot.net>
Date: Sat, 11 Jul 2015 10:58:00 -0700
Message-ID: <CABgOVaJxntEyT0v4GvWm0Qi9jbUPEnzxJgg4KyQSM1T_gN1mjQ@mail.gmail.com>
From: Ben Maurer <ben.maurer@gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11341b46af8359051a9d3ade"
Received-SPF: pass client-ip=209.85.217.180; envelope-from=ben.maurer@gmail.com; helo=mail-lb0-f180.google.com
X-W3C-Hub-Spam-Status: No, score=-5.6
X-W3C-Hub-Spam-Report: AWL=-0.911, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1ZDz2h-0003p1-8v 73e9392ff4c0aeddac209e69cbb0e116
X-Original-To: ietf-http-wg@w3.org
Subject: Re: dont-revalidate Cache-Control header
Archived-At: <http://www.w3.org/mid/CABgOVaJxntEyT0v4GvWm0Qi9jbUPEnzxJgg4KyQSM1T_gN1mjQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29937
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hey Mark,

This suggestion also came up in prior discussions of the problem. One major
issue with this solution is that it doesn't address situations where
content is embedded in a third party site. Eg, if a user includes an API
like Google Maps or the Facebook like button those APIs may load
subresources that should fall under this stricter policy. This issue cuts
both ways -- if 3rd party content on your site isn't prepared for these
semantics you could break it.

I believe UAs were worried about the potential security implications of
such an extension -- eg what if you could alter the caching semantics of a
SWF that had privileged cross origin access so that you could extend the
lifetime of a vulnerable version (granted this extension would only make
the situation worse in the case where the user refreshed the page, so it
might not be that big of a deal).

A third design I had discussed would be a heuristic. For example:

If a UA would normally revalidate a fresh resource due to a user action
expressing interest in requesting a fresh page (eg if the user presses the
reload button) it SHOULD use the following heuristic to avoid excessive
revalidations. If the difference between freshness_lifetime and current_age
is less than 7 days, then the UA SHOULD NOT perform the revalidation and
serve the resource.

The idea here is that reloading is such a rare action (2% of page views
according to our stats) that no reasonable site would design their
experience around the user using the reload button. On the other hand it
might be reasonable for the site to have something with a 5 minute
freshness lifetime and for the user to want an up-to-date version of the
resource

Pros:
- No changes to existing headers
- Would provide a speedup for people who are currently following best
practices

Cons:
- Feels like magic
- Theoretically changes the behavior of a site which actively encourages
it's users to use the reload button (I've never seen such a site)
- Forces a developer who actively edits their code to use short lifetimes
or ctrl+shift+r
- UAs are hesitant to do anything which changes existing behavior.

Do you have any more thoughts on preferences between these options?

On Fri, Jul 10, 2015 at 6:33 PM, Mark Nottingham <mnot@mnot.net> wrote:

> Hi Ben,
>
> > On 11 Jul 2015, at 3:14 am, Ben Maurer <ben.maurer@gmail.com> wrote:
> >
> > 2) Create a new behavior that websites can opt in to. Ensure that UAs
> implement it consistently. This has less risk of breaking existing sites,
> though I understand the hesitance to have a header that says "no *REALLY*
> trust my expiration times". Perhaps the header is poorly advertising the
> functionality that we wish to achieve. A better name/behavior might be
> Cache-control: content-addressed. content-addressed would signal that the
> contents of the current URL is a pure function of the URL itself. IE, that
> the contents will never change. It would take priority over a max-age
> header and signal to the browser that the resource should be permanently
> cached.
>
> This seems like the crux of the matter. A CC extension is one way to do
> this, but I wonder if a more appropriate place might be in HTML, since this
> is really about how the browser behaves in reaction to user input, not how
> the cache behaves.
>
> Cheers,
>
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>
>
>
>

v2.23.0 | Report a Bug | By Email