certification query: checking "do not cache" response headers

Issue #1488 new
Filip Skokan created an issue

The certification suite currently enforces the presence of pragma: no-cache response header as well as the presence of cache-control: no-store (or optionally in some tests cache-control: no-cache, no-store.

Going as far as Feb 2015 Brian noted that pragma: no-cache has no defined meaning in HTTP responses. This has resurfaced now again with backchannel logout.

Likewise cache-control: no-store on its own is the strongest directive available, making no-cache redundant.

The proposal / question here is to make it so that the certification suite only performs cache-control presence assertion with a check for no-store directive presence in it for all scenarios where “do not cache” directives should be present. The extent of this update meets the intersection of what is incorrectly required by 6749 with what is technically correct and enough to instruct clients and intermediaries not to cache.

This does not mean the suite will start rejecting requests that include no-cache in cache-control or pragma: no-cache.

I have a PR open for this adjustment in the certification suite and @Joseph Heenan asked to have this ran by the WG.

Comments (4)

  1. Filip Skokan reporter

    The point of this issue is not to discuss the process to update/errata Core, or other existing specifications (neither examples, nor normative language), but rather to allow for certifications to go through without nonsensical headers and directives present.

  2. Brian Campbell

    +1 to allowing for certifications without requiring nonsensical/redundant headers or directives

  3. Log in to comment