Re: Server Push and Caching

"Roy T. Fielding" <> Sun, 11 September 2016 13:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C9D8712B0F0 for <>; Sun, 11 Sep 2016 06:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.529
X-Spam-Status: No, score=-8.529 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.508, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a5gyJX6ThqfA for <>; Sun, 11 Sep 2016 06:17:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ED3A912B0A3 for <>; Sun, 11 Sep 2016 06:17:52 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1bj4Z1-0006Sz-7F for; Sun, 11 Sep 2016 13:12:51 +0000
Resent-Date: Sun, 11 Sep 2016 13:12:51 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1bj4Yp-0006SE-Qx for; Sun, 11 Sep 2016 13:12:39 +0000
Received: from ([] by with esmtps (TLS1.1:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <>) id 1bj4Yo-0000YY-1y for; Sun, 11 Sep 2016 13:12:39 +0000
Received: from (localhost []) by (Postfix) with ESMTP id 026DD60001115; Sun, 11 Sep 2016 06:12:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=content-type :mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to;; bh=0Xd2v2UuWnSQGGhwi5N/p2K3Fdo=; b=vzaqUgn0cMr367Qyo1jfdPmJRok6 3P/P2S34FCJNC2tQfzR7wdAQMPS35uEEThMYLH7RGPKO6pH9LhY+XVdZUNSfShSW m4MSoTHKII+WOkHryPYPC9VeVqhjjen1N3W9k0uU2nced2aBb0wkjRvJgGDDU7r6 nl2k4gQqjaSlfvE=
Received: from [] ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id D988D60001101; Sun, 11 Sep 2016 06:12:14 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: "Roy T. Fielding" <>
In-Reply-To: <>
Date: Sun, 11 Sep 2016 06:12:14 -0700
Cc: Tom Bergan <>, HTTP Working Group <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <>
To: Mark Nottingham <>
X-Mailer: Apple Mail (2.2104)
Received-SPF: none client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-7.8
X-W3C-Hub-Spam-Report: AWL=1.182, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1bj4Yo-0000YY-1y 43421f2719938fca982d8277a186af93
Subject: Re: Server Push and Caching
Archived-At: <>
X-Mailing-List: <> archive/latest/32390
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

> On Sep 7, 2016, at 5:06 PM, Mark Nottingham <> wrote:
>> On 8 Sep 2016, at 3:22 AM, Roy T. Fielding <> wrote:
>>>>> Note that HTTP does not put constraints on _how_ the application uses that response after it comes through the API or the cache; it might use it multiple times (e.g., an image might occur more than once on a page, or more than one downstream client might have made the request). It's just that this reuse isn't in the context of a HTTP cache's operation.
>>> You're correct that an HTTP *client* isn't required to revalidate a response, but a cache is.
>> A cache isn't required to revalidate.  Only a client revalidates, and only
>> when it wants to do so.  A cache never makes requests.  A cache is only required
>> to mark the response as stale.
> From previous discussions, I know that's your view, and I think it's internally consistent. I'm less convinced that view is shared by implementations, or even the specs.
> RFC 7234, Section 4: "A cache that does not have a clock available MUST NOT use stored responses without revalidating them upon every use."

Yes, that spec plays loose with the terminology.  Clients make requests.
In some cases, a cache contains a client. In other cases, a cache just
tells the calling client what it currently contains, and is updated as a
side-effect of whatever responses are received.

BTW, I haven't seen any evidence of that requirement enforced, at least for caches
that have an interval timer instead of a wall clock.  They just count the age.

> Section 4.2.4: "A cache MUST NOT generate a stale response if it is prohibited by an explicit in-protocol directive (e.g., by a "no-store" or "no-cache" cache directive, a "must-revalidate" cache-response-directive, or an applicable "s-maxage" or "proxy-revalidate" cache-response-directive; see Section 5.2.2)."

That's inconsistent -- it should be "MUST NOT use a stale response".  The reason
the spec has this requirement is because a cache MAY use a stale response
if it is not prohibited by those explicitly specific directives.

> Section 4.3.2: "When a cache decides to revalidate its own stored responses for a request..."

Should be "When a cache revalidates a stored response ..."

> Section "The "must-revalidate" response directive indicates that once it has become stale, a cache MUST NOT use the response to satisfy subsequent requests without successful validation on the origin server."

That's fine.

> Section 5.5.2:" A cache SHOULD generate this when sending a stale response because an attempt to validate the response failed, due to an inability to reach the server."

Which wrongly assumes that a cache is a server (as does 4.2.4).

> 2616 contains much the same language.

Let's just agree not to go there.

> Cheers,
> --
> Mark Nottingham

So, hold for document update?

I don't understand why this is even an argument.  RFC7234 claims that
it is specifying HTTP caching.  We know that caches appear inside all
forms of HTTP components (user agents, proxies, gateways, origin servers)
and in a variety of non-HTTP components (ISPs, captive portals, etc.).
We know that caches are often configured to be less than semantically
transparent.  We cannot seriously define "HTTP cache" to be only those
caches that limit stale reuse to those in section 4.2.4, as if the
components people call a "cache" in real life magically rename themselves
whenever they don't adhere to those requirements.

The reason I stick to my internally consistent views, instead of relying
on the RFC, is because the RFC is not currently capable of describing
how a user agent works with its own cache.  For example, see

Likewise, semantic transparency isn't sufficient to encompass the configurations
of any performance-enhancing cache, like Squid and Apache TrafficServer.

I think we should just fix section 4.2.4 to not specify things in client/server
terms (rather, a cache adds to or removes from a stored response) and to allow
for cache behavior regarding stale responses to be based on context and