Re: Does no-store in request imply no-cache?

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Wed, 22 Sep 2010 17:47:57 -0600

On 09/22/2010 05:05 PM, Mark Nottingham wrote:

> Strictly, as a request directive it means "you can't store the
> response to this request" -- it says nothing about whether or not you
> can satisfy the request from a cache.

Hi Mark,

     Let's assume the above is correct and Squid satisfied the no-store
request from the cache. Should Squid purge the cached response afterwards?

If Squid does not purge, the next regular request will get the same
cached response as the no-store request got, kind of violating the "MUST
NOT store any response to it" no-store requirement.

If Squid purges, it is kind of silly because earlier requests could have
gotten the same "sensitive" information before the no-store request came
and declared the already cached information "sensitive".

Thank you,

Alex.

> See also:
> http://tools.ietf.org/html/draft-ietf-httpbis-p6-cache-11#section-3.2.1
>
>
> On 23/09/2010, at 4:27 AM, Alex Rousskov wrote:
>
>> Hello,
>>
>> One interpretation of RFC 2616 allows the proxy to serve hits when
>> the request contains "Cache-Control: no-store". Do you think such an
>> interpretation is valid?
>>
>> no-store
>> The purpose of the no-store directive is to prevent the
>> inadvertent release or retention of sensitive information (for
>> example, on backup tapes). The no-store directive applies to the
>> entire message, and MAY be sent either in a response or in a
>> request. If sent in a request, a cache MUST NOT store any part of
>> either this request or any response to it.
>>
>> Thank you,
>>
>> Alex.
>
> --
> Mark Nottingham mnot_at_yahoo-inc.com
>
Received on Wed Sep 22 2010 - 23:47:57 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 23 2010 - 12:00:11 MDT