IETF Logo Mail Archive

Re: dont-revalidate Cache-Control header

Guille -bisho- <bishillo@gmail.com> Thu, 16 July 2015 17:43 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA4301B2A16 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Jul 2015 10:43:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id feDzVU4nINmt for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Jul 2015 10:43:05 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 373C21B2A0D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 16 Jul 2015 10:43:04 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZFn8J-0006sU-MM for ietf-http-wg-dist@listhub.w3.org; Thu, 16 Jul 2015 17:39:43 +0000
Resent-Date: Thu, 16 Jul 2015 17:39:43 +0000
Resent-Message-Id: <E1ZFn8J-0006sU-MM@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <bishillo@gmail.com>) id 1ZFn8F-0006ri-Oo for ietf-http-wg@listhub.w3.org; Thu, 16 Jul 2015 17:39:39 +0000
Received: from mail-ie0-f175.google.com ([209.85.223.175]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <bishillo@gmail.com>) id 1ZFn8D-0002Ez-GE for ietf-http-wg@w3.org; Thu, 16 Jul 2015 17:39:39 +0000
Received: by ieik3 with SMTP id k3so61340897iei.3 for <ietf-http-wg@w3.org>; Thu, 16 Jul 2015 10:39:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=oH5Hhi4oW9qRw6UoRHqcEsOTWdypkkt9LGtEITHByJ0=; b=yEfOOfGCV5uPm/8KxjKkGycW0ZfHIdyOYtQnSDYvTfC+MMnRfDhVFTuCDCYQ1Rxp/k c8aMExPFG/jHRyssN2psEbVoeHHW/MUCjxFhLAq7FR9eR9JMNtp/t3EVSxHHU4MACXAQ qzKy/RvPkIIx9tQvlkaKH33eSIWjp9ysGvsf/umJrSAynTX9MDfxSG1nA/EG8l+9k6Mj dr7/Lq7HQ+Z20N+T+8VXAjnIiJ+T/K93YuQdIyxqseogHoFUd0+1aww1ZbRsTea7KBQQ F474QilI5SvS0qZXUJ8hTBGnDg+Zgo7uviwA0cGTrQd2LMWHNUbK8sgotiPVcZ1JffNC KUbA==
X-Received: by 10.107.28.202 with SMTP id c193mr13455761ioc.90.1437068351530; Thu, 16 Jul 2015 10:39:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.142.200 with HTTP; Thu, 16 Jul 2015 10:38:52 -0700 (PDT)
In-Reply-To: <CABgOVaLnpnmd7JvY6O=tXXboVuvCCn-p1KLzu8wKVkg-yon79w@mail.gmail.com>
References: <CABgOVaLHBb4zcgvO4NUUmAzUjNkocBGYY3atFA9iuYyoLaLQsA@mail.gmail.com> <559F9E90.4020801@treenet.co.nz> <CABgOVaLG6QZyjqk2AGYupShST_u3ty9BpxUcPX+_yMEC1hyHAQ@mail.gmail.com> <961203FE-7E54-410F-923E-71C04914CD2E@mnot.net> <CABgOVaJxntEyT0v4GvWm0Qi9jbUPEnzxJgg4KyQSM1T_gN1mjQ@mail.gmail.com> <16407353-5C34-42E8-81A6-E0027EC3A0D0@mnot.net> <CABgOVa+C48yYp-ZkawY+Ho6pXONa_UfB0MVt_2+d0ejyESu2Pw@mail.gmail.com> <54973543-2406-4188-8DCD-AE3C85ACB76A@mnot.net> <CABgOVa+CrJ0qBGN-nBYZ2qpJo8X+wkYY-zYAqM6MjTom1QT+Bw@mail.gmail.com> <55A7A4F9.1010500@treenet.co.nz> <CABgOVaLnpnmd7JvY6O=tXXboVuvCCn-p1KLzu8wKVkg-yon79w@mail.gmail.com>
From: Guille -bisho- <bishillo@gmail.com>
Date: Thu, 16 Jul 2015 10:38:52 -0700
Message-ID: <CAMSE37vmBJYkiC+c5+aMqWUvLtY4zOHDbhEJkm=K+=KbTyOO2A@mail.gmail.com>
To: Ben Maurer <ben.maurer@gmail.com>
Cc: Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a113ff13c9c6b32051b018cba"
Received-SPF: pass client-ip=209.85.223.175; envelope-from=bishillo@gmail.com; helo=mail-ie0-f175.google.com
X-W3C-Hub-Spam-Status: No, score=-5.5
X-W3C-Hub-Spam-Report: AWL=-0.818, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1ZFn8D-0002Ez-GE f358618feca64d9faaceaf6e1185dd74
X-Original-To: ietf-http-wg@w3.org
Subject: Re: dont-revalidate Cache-Control header
Archived-At: <http://www.w3.org/mid/CAMSE37vmBJYkiC+c5+aMqWUvLtY4zOHDbhEJkm=K+=KbTyOO2A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29974
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

>
>
> You're right that I hadn't been thinking about this with the perspective
> of browser with an intermediate cache. I guess the behavior I'm suggesting
> here is that a browser should treat a refresh on the main resource the same
> as it does today (send a max-age=0 request), however it should *not* do
> this for sub-resources that have the static extension. Open to other
> suggestions about behavior here -- mainly I want to provide a safety net if
> a hack/mistake were to make www.foo.com/ return a corrupt document with a
> static caching flag.
>

The risk is still the typical ga.js url embedded in all websites. If a
bug/hack makes that static, you will need to ask all site owners to go and
change the url to something else, which will take ages.

Perhaps we need to change this header to the page owner? For example
facebook.com embedding a policy no never revalidate sub-resources feched
from static.facebook.com? A website wont be allowed to self-reference, so
we have this security issue solved. The page people navigate to is still
working as normal, subresources can be marked as no revalidate needed, in
case of bug, the policy can be removed and sub-resource urls changed.

-- 
Guille -ℬḭṩḩø- <bishillo@gmail.com>
:wq

v2.23.0 | Report a Bug | By Email