search

httpwg / http-core

Core HTTP Specifications
https://httpwg.org/http-core/
469 stars 43 forks source link

is max-age not a directive presents explicitly allows shared caching ? #968

Closed Jxck closed 3 years ago

Jxck commented 3 years ago

In section 3

if the cache is shared: the Authorization header field is not present in the request (see Section 11.6.2 of [HTTP]) or a response directive is present that explicitly allows shared caching (see Section 3.5); and,

and Section 3.5 saids

In this specification, the following response directives have such an effect: must-revalidate (Section 5.2.2.2), public (Section 5.2.2.9), and s-maxage (Section 5.2.2.10).

based on above, if client sends Authorization Request like below

GET / HTTP/1.1
Authorization: xxxx

and server respond below

HTTP/1.1 200 OK
Cache-Control: max-age=3600

shared cache could not store this response because it's not include must-revalidate, public, s-maxage or other directive who explicitly allows ?

in discussion of #320

@mnot mentions that

A note like this would also help: Note that it is not necessary to add public to a response if the response is explicitly fresh (e.g., due to the presence of the max-age response directive or the Expires header), or if the response is heuristically cacheable (e.g., the 200 and several other response status codes; see [ref to heuristic]).

I also thought that presence of max-age saids that it explicitly fresh and not necessary to add public. And my understands for misunderstand semantics which @mnot mention is also here.

But current draft seems saids different thing for me.

if max-age is not a thing, I think it can be Noted in public section like

Note that if you intended to store a authorization response with max-age, you also need public for make it explicitly cacheable for shared cache.

or if max-age is a thing, note like below helps devs who misunderstanding

Note that if you add max-age, it makes response explicitly cacheable so you don't need to add public even for shared cache

please correct me if I did misread or misunderstand.

royfielding commented 3 years ago

shared cache could not store this response because it's not include must-revalidate, public, s-maxage or other directive who explicitly allows ?

That is correct. Another way of saying it is that requests that carry credentials are expected to be private unless otherwise marked. max-age does not mark something as shared-cacheable. The cache directives must-revalidate, public, and s-maxage do.

I don't see a need for further change here. Adding another note does not help (the note recently added about public just made things worse).

mnot commented 3 years ago

The current text is correct. If Authorisation is present in the request, max-age is not a sufficient signal tha the response is cacheable.