Directive "Pragma" no-cache

Comments (12)

1. 

   Andrii Deinega reporter

   • marked as minor

   • 2022-04-22T23:48:07+00:00
2. 

   Michael Jones

   What is the specific specification change you are requesting? I can’t tell from the issue description.

   • 2022-04-24T01:45:05+00:00
3. 

   Andrii Deinega reporter

   I suggest removing all uses of “Pragma: no-cache“. The same applies to the OpenID Connect Core specification.

   Plus, change

   Cache-Control: no-cache, no-store

   to

   Cache-Control: no-store

   BTW, the core specification uses the latter.

   • 2022-04-24T03:05:15+00:00
4. 

   Michael Jones

   I’m curious @Brian Campbell ,@Filip Skokan , and @Joseph Heenan what you think of this suggestion.

   • 2022-04-24T07:03:54+00:00
5. 

   Filip Skokan

   I agree with removing pragma. I will defer the “content of cache-control“ to others more versed in the semantics.

   • 2022-04-24T11:12:07+00:00
6. 

   Brian Campbell

   Definitely remove pragma.

   And, as far as I understand it, no-store is the strongest anti-cache directive that is sufficient alone and the one that actually means ‘don’t cache this' so Cache-Control: no-store is okay.

   • 2022-04-26T11:33:28+00:00
7. 

   Joseph Heenan

   I agree with changing Cache-Control to just no-store, and doing so brings logout into line with Connect & RFC6749.

   I don’t know what to do about Pragma. Both OIDCC and RFC6749 explicitly have a MUST for pragma in token endpoint responses, though it does seem to have been dropped in OAuth 2.1. Removing it from logout likely makes sense. Is removing Pragma from OIDCC in an errata possible?

   ‌

   • 2022-04-26T13:02:48+00:00
8. 

   Joseph Heenan

   (The OIDCC part of the discussion is probably best continued in Filip’s new issue, https://bitbucket.org/openid/connect/issues/1488/certification-query-checking-do-not-cache )

   • 2022-04-26T13:04:46+00:00
9. 

   Andrii Deinega reporter

   @Joseph Heenan , it was dropped in OAuth 2.1, this change is a part of the latest draft https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05 available as of today.

   • 2022-04-26T17:27:25+00:00
10. 

    Andrii Deinega reporter

    What’s also quite interesting about the cache-control HTTP header is that it holds cache directives not only for responses but for requests as well. The “no-store“ directive

    The "no-store" request directive indicates that a cache MUST NOT
    store any part of either this request or any response to it. This
    directive applies to both private and shared caches. "MUST NOT
    store" in this context means that the cache MUST NOT intentionally
    store the information in non-volatile storage, and MUST make a
    best-effort attempt to remove the information from volatile storage
    as promptly as possible after forwarding it.

    per https://datatracker.ietf.org/doc/html/rfc7234#section-5.2.1.5.

    It means that it might make sense to use this directive for certain requests that contain sensitive data hoping that, for example, the browser will make an attempt to remove it from the memory. Of course, there is no guarantee for that and RFC 7234 says

    This directive is NOT a reliable or sufficient mechanism for ensuring privacy.

    Although I believe, the same applies to any other directives.

    • 2022-04-26T17:43:17+00:00
11. 

    Michael Jones

    Will be fixed by https://bitbucket.org/openid/connect/pull-requests/167/use-cache-control-no-store

    • 2022-04-30T10:55:41+00:00
12. 

    Michael Jones

    • changed status to resolved

    Fixed by https://bitbucket.org/openid/connect/pull-requests/167/use-cache-control-no-store

    • 2022-05-04T07:30:03+00:00
13. Log in to comment