On 11/08/2005 01:55 AM, Roy T. Fielding wrote: > On Nov 7, 2005, at 3:10 PM, Ruediger Pluem wrote: >
[..cut..] > > I can't remember which directive applies where, but if the > access control is set to deny all and allow some, where some > is a locally restricted subset of all, then cache-control > private is required on non-error responses unless the request > included Authorization (in which case cache-control private > is optional because it is already implied with Auth). > > If the directive is set to allow all and deny some, then > it is reasonable to assume that the access control is for > service reasons, not authentication, and thus anyone who > receives the message should be allowed to cache it for others. > > It would be wise to make both configurable. Many thanks for clarification. So do you think that there is a todo for mod_authz_host to add such things or should this be left to the administrator who can of course use mod_headers in the first case to add Cache-Control: private? Regards RĂ¼diger
