On Tue, Oct 16, 2012 at 11:21 AM, Boris Zbarsky <[email protected]> wrote: > Again, "Vary: User-Agent" is the answer here, from the browser's point of > view.
Agreed. > I agree that this would be good to discuss in a security implications > section. The spec could even require that responses to XHR with custom UA > simply not be cached, if we want to play it safe. That would be an improvement, but wouldn't solve the problem of intermediary cache poisoning. Julian Aubourg wrote; > Couldn't we simply state in the spec that browsers must add the User-Agent > header to the Vary list, all the time? Vary is a response header, set by the server. Mark.
