Anne van Kesteren wrote:
Another thing that occurred to me is does HTTP caches take the full
set of request headers into account when caching? Otherwise it could
be directly harmful to include Referer-Root and Method-Check headers.
The cache might store an "authorize" reply when the request is made
for Referer-Root A and wrongly respond with the same document is
checked for Referer-Root B.
The authentication request cache is a seperate thing that uses the
Referer-Root and request URI as "primary key". Or do you mean something
else?
Yes, I mean something else. I mean a general-purpose HTTP cache sitting
between the server and the XMLHttpRequest implementation. Including, but
not limited to, the cache in the browser.
/ Jonas
