[squid-dev] [PATCH] Must revalidate CC:no-cache responses

Amos Jeffries squid3 at treenet.co.nz
Mon Sep 5 10:38:29 UTC 2016


On 5/09/2016 9:52 p.m., Eduard Bagdasaryan wrote:
> 2016-09-04 18:31 GMT+03:00 Amos Jeffries <squid3 at treenet.co.nz>:
> 
>> * ccPrivate is only cacheable in the same conditions as
>> ccNoCacheNoParams so should be a ENTRY_REVALIDATE_ALWAYS as well
> 
> It is unclear what are these "same" conditions. RFC 7234 5.2.2.6:
> 
>    The "private" response directive indicates that the response message
>    is intended for a single user and MUST NOT be stored by a shared
>    cache.
> 
> In my understanding Squid (as a shared cache) must not store "private"
> responses at all (while user agents could). Is this correct? If yes,
> currently Squid violates this MUST.
> 
> On the other hand, "no-cache" without field-names does not impose
> constraints on storing in the cache, but restricts the cache to always
> revalidate.
> 

That is correct as the protocol RFC goes.

However we still have people wanting the nasty refresh_pattern
ignore-private option. In order to minimize the security issues that
causes anything marked as CC:private that does get into cache needs to
be revalidated on every use just like CC:no-cache.

Amos



More information about the squid-dev mailing list