[squid-dev] [PATCH] Must revalidate CC:no-cache responses
Amos Jeffries
squid3 at treenet.co.nz
Mon Sep 5 10:38:29 UTC 2016
On 5/09/2016 9:52 p.m., Eduard Bagdasaryan wrote:
> 2016-09-04 18:31 GMT+03:00 Amos Jeffries <squid3 at treenet.co.nz>:
>
>> * ccPrivate is only cacheable in the same conditions as
>> ccNoCacheNoParams so should be a ENTRY_REVALIDATE_ALWAYS as well
>
> It is unclear what are these "same" conditions. RFC 7234 5.2.2.6:
>
> The "private" response directive indicates that the response message
> is intended for a single user and MUST NOT be stored by a shared
> cache.
>
> In my understanding Squid (as a shared cache) must not store "private"
> responses at all (while user agents could). Is this correct? If yes,
> currently Squid violates this MUST.
>
> On the other hand, "no-cache" without field-names does not impose
> constraints on storing in the cache, but restricts the cache to always
> revalidate.
>
That is correct as the protocol RFC goes.
However we still have people wanting the nasty refresh_pattern
ignore-private option. In order to minimize the security issues that
causes anything marked as CC:private that does get into cache needs to
be revalidated on every use just like CC:no-cache.
Amos
More information about the squid-dev
mailing list