Thanks a lot for explaining this Jonas! In theory this seems like a bug in
the server for not sending the appropriate Vary header, but it makes sense
to not rely on the server for doing the right thing.
However, it seems this means we end up with three separate caches. One for
requests including user credentials, one for requests excluding user
credentials but including Origin/Referer, and one for requests excluding
user credentials and Origin/Referer. Is there really no way we can drop
withCredentials on the floor at this point and encourage people to use
AnonXMLHttpRequest() instead? withCredentials is annoying inconsistent
depending on whether the request is same-origin or not and really not that
good of a feature. Dropping it would not make sites insecure as they would
still need to include Access-Control-Allow-Credentials.
I think this would give authors a much simpler and consistent API. Either
you use AnonXMLHttpRequest which excludes user credentials and
Origin/Referer or you use XMLHttpRequest. And the request semantics of
both would not depend on other variables.
On Wed, 12 May 2010 00:12:30 +0200, Jonas Sicking <[email protected]> wrote:
The problem with cache is as follows:
[...]
The solution is to use separate HTTP caches for cookie-enabled and
cookie-less requests (or to include the 'cookies enabled' flag as part
of the key to the cache).
The mozilla implementation similarly never reuses HTTP keep-alive
connections between cookie-enabled and cookie-less requests. Nor
shares ssh connections for https requests between cookie-enabled and
cookie-less requests.
--
Anne van Kesteren
http://annevankesteren.nl/
