[1901] in WWW Security List Archive
Re: how do I keep a browser from caching files
daemon@ATHENA.MIT.EDU (Alberto Accomazzi)
Wed Apr 24 13:20:35 1996
Reply-To: Alberto Accomazzi <alberto@cfa.harvard.edu>
To: "David W. Morris" <dwm@shell.portal.com>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: Your message of Tue, 23 Apr 1996 22:14:22 -0700.
<Pine.SUN.3.90.960423221243.11428B-100000@jobe.shell.portal.com>
Date: Wed, 24 Apr 1996 10:30:57 -0400
From: Alberto Accomazzi <alberto@cfa0.HARVARD.EDU>
Errors-To: owner-www-security@ns2.rutgers.edu
In message <Pine.SUN.3.90.960423221243.11428B-100000@jobe.shell.portal.com>, "D
avid W. Morris" writes:
>
>
> On Tue, 23 Apr 1996, Pierre-Yves Bonnetain wrote:
>
> > I would propose another (different) scheme. Usually, browsers do not cac
he data
> > resulting from a POST operation.
> > So write a small cgi wrapper around your sensitive HTML files, that read
s them and send
> > them back to the browser. This sould be easy, and it may well solve your pr
oblem.
>
> A word to the wise .... I have recently observed Netscape 2.0 give evidence
> that it was caching the responses from POSTs ... as I recall I was asked if
> I wanted to view the old response or have the POST repeated.
That's correct, I also noticed that netscape 2.01 does cache POSTs
(even though when you select "Document Info" from the "View" menu it
says that the page resulting from a POST is not cached, nor does it
give a last modified date, even if the server sent one).
When you go back to the page using your history button, netscape will
show the cached version. As I recall, earlier beta versions of 2.0
would only cache POSTed document that had a Last-modified date or an
expiration date set, and then would issue a conditional POST (with an
If-Modified-Since HTTP header) when the user went back to the page
(either through the history list or through a link).
As I see it, the whole caching issue is in a rather messy state right
now, with the most popular browsers forcing data providers to worry
about details that have been left unspecified or not so well defined
by the HTTP drafts. For instance, as Larry Masinter pointed out, the
"Pragma: no-cache" directive was designed to avoid caching by Proxy
Servers originally, was then adopted by netscape as a directive to be
used by browsers as well, and as a result of that it ended up
affecting the way history works on netscape browsers, so now we're
stuck with the current state of things without being able to
differentiate proxy server versus client caching.
I hope this and related issues will be clarified in HTTP/1.1, even though
I'm not seeing any substantial progress on this in the current draft.
- Alberto
============
Alberto Accomazzi Smithsonian Astrophysical Observatory
alberto@cfa.harvard.edu 60 Garden Street, MS 83
http://cfa-www.harvard.edu/~alberto Cambridge, MA 02138 USA
