Guys,

On Wed, Aug 07, 2019 at 02:07:09PM +0200, Baptiste wrote:
> Hi Vincent,
> 
> HAProxy does not follow the max-age in the Cache-Control anyway.

I know it's a bit late but I'm having an objection against this change.
The reason is simple, OPTIONS is explicitly documented as being
non-cacheable : https://tools.ietf.org/html/rfc7231#section-4.3.7

So not only by implementing it we're going to badly break a number
of properly running applications, but in addition we cannot expect
any cache-control from the server in response to an OPTIONS request
precisely because this is forbidden by the HTTP standard.

When I search for OPTIONS and cache on the net, I only find AWS's
Cloudfront which offers an option to enable it, and a number of
feature requests responded to by "don't do that you're wrong". So
at the very least we need to disable this by default, and possibly
condition it with a well visible option such as "yes-i-know-i-am-
breaking-the-cache-and-promise-never-to-file-a-bug-report" but what
would be better would be to understand the exact use case and why it
is considered to be valid despite being a blatant violation of the
HTTP standard! History tells us that purposely violating standards
only happens for bad reasons and systematically results in security
issues. 

Thanks,
Willy

Reply via email to