Ticket #197 (closed design: fixed)
Effect of CC directives on history lists
|Reported by:||email@example.com||Owned by:|
|Component:||p6-cache||Severity:||Active WG Document|
Several browser vendors do or will soon respect CC: no-store and CC: max-age=0, must-revalidate for the purposes of history lists, because they see storing some responses in the history list as a security concern (e.g., something with credit card numbers on it).
However, 2616 says that a cache and a history list are separate, and notes that history lists should not unnecessarily prevent users from viewing stale resources.
This is vague; the wording here implies that the history list has the same store as the cache, even though they are almost always implemented separately, as the history list needs to incorporate browser-side state as well as resource state.
This section needs to be revised, and furthermore some means of control over the history list needs to be provided; either
- CC: no-store (and possibly other) directives apply to history lists as well, or
- Some other history-specific directives need to be minted (out of scope for HTTPbis, but it can be discussed on-list)
- Status changed from new to closed
- Resolution set to fixed
- Status changed from closed to reopened
- Resolution fixed deleted