tags:

views:

40

answers:

2
+2  Q: 

What is the risk of having HTTP header "Cache-Control: public"?

The Cache-Control HTTP/1.1 header can specify max-age as well as whether the cache content can be public or private, indicating whether intermediate cache can cache the content.

For example, Ruby on Rails's expires_in() defaults to using Cache-Control: private

What is the risk of making it public? If it is public, which extra places can cache the content -- would it be a proxy server, for example?

What if the website is like Amazon.com, but the user is anonymous, then probably there is not much privacy issue? What if the user is logged in, could there be privacy issue, because the data passes through places and the data is visible. If that location wants to be "bad", it really doesn't need to care about the Cache-Control: private anyway.

What if it is a website where user can be logged in, but the website only search for health products like fish oil and vitamins, and so forth. In that case, there is even less privacy involved because it is unlike Amazon.com where there are a lot more variety of products such as books for which a user can really care more about privacy issue.

Having said that, what is the additional advantage of have Cache-Control: public?

+1  A: 

The problem with Cache-Control: Public is that the response may be cached and displayed to a different user. This is a problem if you have an authenticated application that is displaying private data. In general, you should only use public for static pages, or pages that return the same data no matter what user is making the request.

Mike  2010-07-27 00:31:20
so it looks like even search results... or perhaps even static pages might not be good to be public, as 2 persons sharing the same computer may want privacy from each other about which webpage is cached. But I suppose also browsers should have a setting to make cache private no matter what the `Cache-Control` header says.
動靜能量  2010-07-27 01:08:37
A: 

I further found the following spec:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1

public

Indicates that the response MAY be cached by any cache, even if it would normally be non-cacheable or cacheable only within a non- shared cache. (See also Authorization, section 14.8, for additional details.)

private

Indicates that all or part of the response message is intended for a single user and MUST NOT be cached by a shared cache. This allows an origin server to state that the specified parts of the response are intended for only one user and are not a valid response for requests by other users. A private (non-shared) cache MAY cache the response. Note: This usage of the word private only controls where the response may be cached, and cannot ensure the privacy of the message content.

So it looks like it is more about "shared cache" instead of intermediate cache.

動靜能量  2010-07-27 13:00:00

related questions

can i use "http header" to check if a dynamic page has been changed.
What should the HTTP response be when the resource is forbidden but there's an alternate resource?
How to detect when a user has successfully finished downloading a file in php
Interesting UTF-8 Yahoo File Download Headers
Access HTTP response headers in for flash.net.URLLoader object?
A way to prevent a mobile browser from downloading and displaying images
PHP - Custom error handling. Redirected 404 is being hijacked by AVG Anti-Virus. How to stop?
Where can I find a List of Standard HTTP Header Values?
Why is Apache + Rails is spitting out two status headers for code 500?
Why do I get "Cannot redirect after HTTP headers have been sent" when I call Response.Redirect(url)?
Possible to detect the *type of mobile device* via javascript or HTTP Headers?
Set up an HTTP proxy to insert a header
File name corruption on file download (IE)
How do I know WHEN to close an HTTP 1.1 Keep-Alive Connection?
How can I perform a HEAD request with the mechanize library?
How do I find the mime-type of a file with php?
HttpHeaders in ASP.NET 1.1
C# Get http:/.../File Size
Client-side detection of HTTP request method
How do you send a HEAD HTTP request in Python?
Specific Client Detection based on headers. Firefox extension?
How to encode the filename parameter of Content-Disposition header in HTTP?
How to set an HTTP header while using a Flex RemoteObject method ?
Making sure a web page is not cached, across all browsers.
IE6 and Caching