certification query: checking "do not cache" response headers
The certification suite currently enforces the presence of pragma: no-cache
response header as well as the presence of cache-control: no-store
(or optionally in some tests cache-control: no-cache, no-store
.
Going as far as Feb 2015 Brian noted that pragma: no-cache
has no defined meaning in HTTP responses. This has resurfaced now again with backchannel logout.
Likewise cache-control: no-store
on its own is the strongest directive available, making no-cache
redundant.
The proposal / question here is to make it so that the certification suite only performs cache-control
presence assertion with a check for no-store
directive presence in it for all scenarios where “do not cache” directives should be present. The extent of this update meets the intersection of what is incorrectly required by 6749 with what is technically correct and enough to instruct clients and intermediaries not to cache.
This does not mean the suite will start rejecting requests that include no-cache
in cache-control
or pragma: no-cache
.
I have a PR open for this adjustment in the certification suite and @Joseph Heenan asked to have this ran by the WG.
Comments (7)
-
reporter -
reporter cc @Brian Campbell
-
+1 to allowing for certifications without requiring nonsensical/redundant headers or directives
-
+1 for me as well!
-
- changed status to open
@Joseph Heenan can you provide an update on whether this has been resolved in the certification suite?
-
Yes, I believe this was all addressed in the test suite via https://gitlab.com/openid/conformance-suite/-/issues/1031 and https://gitlab.com/openid/conformance-suite/-/merge_requests/1157
-
- changed status to resolved
Resolved, per Joseph's response
- Log in to comment
The point of this issue is not to discuss the process to update/errata Core, or other existing specifications (neither examples, nor normative language), but rather to allow for certifications to go through without nonsensical headers and directives present.