[Webkit-unassigned] [Bug 49672] New: Allow no-store resources to be used for back navigation

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 17 10:08:44 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=49672

           Summary: Allow no-store resources to be used for back
                    navigation
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: joepeck at webkit.org


The HTTP spec allows 'Cache-Control: no-store' resources to be used when used for "History", such as back/forward navigation.

Relevant parts of the spec:
http://www.ietf.org/rfc/rfc2616.txt

13.13 History Lists

    User agents often have history mechanisms, such as "Back" buttons
    and history lists, which can be used to redisplay an entity retrieved
    earlier in a session.

>   History mechanisms and caches are different. In particular history
>   mechanisms SHOULD NOT try to show a semantically transparent view
>   of the current state of a resource. Rather, a history mechanism is
>   meant to show exactly what the user saw at the time when the resource
>   was retrieved.

    By default, an expiration time does not apply to history mechanisms.
    If the entity is still in storage, a history mechanism SHOULD display
    it even if the entity has expired, unless the user has specifically
    configured the agent to refresh expired history documents.

    This is not to be construed to prohibit the history mechanism from
    telling the user that a view might be stale.


14.9.2 What May be Stored by Caches

   no-store
      The purpose of the no-store directive is to prevent the
      inadvertent release or retention of sensitive information (for
      example, on backup tapes). The no-store directive applies to the
      entire message, and MAY be sent either in a response or in a
      request. If sent in a request, a cache MUST NOT store any part of
      either this request or any response to it. If sent in a response,
      a cache MUST NOT store any part of either this response or the
      request that elicited it. This directive applies to both non-
      shared and shared caches. "MUST NOT store" in this context means
      that the cache MUST NOT intentionally store the information in
      non-volatile storage, and MUST make a best-effort attempt to
      remove the information from volatile storage as promptly as
      possible after forwarding it.

>     Even when this directive is associated with a response, users
>     might explicitly store such a response outside of the caching
>     system (e.g., with a "Save As" dialog). History buffers MAY store
>     such responses as part of their normal operation.

      The purpose of this directive is to meet the stated requirements
      of certain users and service authors who are concerned about
      accidental releases of information via unanticipated accesses to
      cache data structures. While the use of this directive might
      improve privacy in some cases, we caution that it is NOT in any
      way a reliable or sufficient mechanism for ensuring privacy. In
      particular, malicious or compromised caches might not recognize or
      obey this directive, and communications networks might be
      vulnerable to eavesdropping.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list