On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <jo...@sicking.cc> wrote: > Another thing that might be worth noting is that if the UA contains a > HTTP cache (which most popular UAs do), the UA must never use a cached > response that was the result of a request that was made with > credentials, when making a request without. The same goes the other > way around.
I gather this is because sites do not reliably use the Vary header? When processing a credential-less request, do you use a conditional GET to validate an existing cache entry that was first retrieved over a connection that used credentials? --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html