Set a cache-control header based on whether the page makes use of user identity; fixes #525
Detailed description
If a page doesn't make use of entry authentication, or doesn't request stuff from the current userinfo, set a cache-control header that allows caching.
If the page does use entry authentication or does request stuff from userinfo, disallow caching.
There is a slight gap in that there's no way to tell if userinfo was requested if there is no logged-in user. However, in manual smoke tests, Firefox seems to discard cache entries once the user logs in, likely because of Vary:Cookie behavior, so this is probably a non-issue (and to that end it might actually be safe to always set cache-control with private, max-age=NNN).
max-age will be set based on the server-side caching configuration, with a default of 1 hour otherwise.
Developer/user impact
Might require users to shift-reload in some circumstances.
Test plan
Manual smoke testing with curl -i and the firefox console. Verified that non-user-dependent and non-authentication-needed pages return a cache-control: public, max-age=NNN and any page that either retrieved userinfo or checked entry auth returned cache-control: private.
Summary
Set a cache-control header based on whether the page makes use of user identity; fixes #525
Detailed description
If a page doesn't make use of entry authentication, or doesn't request stuff from the current userinfo, set a cache-control header that allows caching.
If the page does use entry authentication or does request stuff from userinfo, disallow caching.
There is a slight gap in that there's no way to tell if userinfo was requested if there is no logged-in user. However, in manual smoke tests, Firefox seems to discard cache entries once the user logs in, likely because of
Vary:Cookiebehavior, so this is probably a non-issue (and to that end it might actually be safe to always set cache-control withprivate, max-age=NNN).max-age will be set based on the server-side caching configuration, with a default of 1 hour otherwise.
Developer/user impact
Might require users to shift-reload in some circumstances.
Test plan
Manual smoke testing with
curl -iand the firefox console. Verified that non-user-dependent and non-authentication-needed pages return acache-control: public, max-age=NNNand any page that either retrieved userinfo or checked entry auth returnedcache-control: private.Got a site to show off?