On Monday 07 November 2005 21:10, Roy T. Fielding wrote: > On Nov 7, 2005, at 1:01 PM, Paul Querna wrote: > >> If there is a compelling reason to support not adding Cache-Control: > >> private to authenticated requests, then it's definitely an option, > >> but I > >> think we should default to the safe option for now. > > > > The compelling reason is that this implies that even for the DEFAULT > > configuration of apache, we should be sending cache-control private, > > for > > EVERY page served. > > Why? > > > This also implies that if we you use mod_rewrite based on any > > non-Varied-Header information, you should be setting Cache-Control: > > Private too. > > No, you should be setting Vary: * if the content varies. That is > also required by HTTP.
That applies if it varies by some request header. The whole problem here is that Remote-IP is not a request header. It is not accessible through HTTP. And it would be hard to incorporate, because either we trust it and it's trivial to forge, or we enforce it and exclude any client behind NAT. > The default in all cases should be HTTP-compliant. You can define > additional directives for overriding compliance by consent of > the owner, but we shouldn't ship a server that doesn't work > correctly by default. If that was the only issue, there wouldn't be a problem. -- Nick Kew
