Pragma in responses

[martinthomson]

The CORS safelisted responses headers list includes Pragma.

Section 5.4 of RFC 7234 specifically states that Pragma only has semantics in requests.

On the other side of this, we recently discovered a few cases where Pragma was used instead of Cache-Control. That is inadvisable, but it does seem to be in use still; how much is redundant with Cache-Control is hard to know. Chrome treats Pragma: no-cache like Cache-Control: no-cache in both request and response.

[mnot]

It wasn't pragma (tests).

[annevk]

This seems to originate at https://lists.w3.org/Archives/Public/public-webapi/2006Apr/0214.html without a lot of context. The referenced JSONRequest discussion can be found at https://lists.w3.org/Archives/Public/public-whatwg-archive/2006Mar/thread.html#msg98 but doesn't seem to go into it.

That list of response headers was contested by mnot at some point and I added Access-Control-Expose-Headers at that point. But I can't find any discussion about the specific list of headers. It seems to have been accepted as-is from that original proposal.

It's probably not worth removing Pragma at this point, even if it remains/is meaningless on a response. We could add a note, perhaps.

[yoavweiss]

FWIW, Chromium does look as Pragma: no-cache as an alias for Cache-Control: no-cache, claiming backwards compat issues with removing it. Might be interesting to add counters and see how many resources would get step being revalidated if that changed.