On Nov 7, 2005, at 1:01 PM, Paul Querna wrote:
If there is a compelling reason to support not adding Cache-Control:
private to authenticated requests, then it's definitely an option,
but I
think we should default to the safe option for now.
The compelling reason is that this implies that even for the DEFAULT
configuration of apache, we should be sending cache-control private,
for
EVERY page served.
Why?
This also implies that if we you use mod_rewrite based on any
non-Varied-Header information, you should be setting Cache-Control:
Private too.
No, you should be setting Vary: * if the content varies. That is
also required by HTTP.
The default in all cases should be HTTP-compliant. You can define
additional directives for overriding compliance by consent of
the owner, but we shouldn't ship a server that doesn't work
correctly by default.
....Roy
