[TYPO3-dev] Core Behaviour: Using Cache-Control Headers to prevent _Clients_ from Caching

[Martin Kutschker]

Ekkehard Gümbel schrieb:
> Martin Kutschker schrieb:
> 
>> You mean use "no-cache" instead of "private"?
> 
> Instead of
>   Cache-Control: private
> we would send
>   Pragma: no-cache
>   Cache-Control: private, must-revalidate, no-store
>   Expires: Thu, 01 Dec 1994 16:00:00 GMT

So you only want to enforce the no-cache for not cache-control compliant 
proxies/clients? Then we really do not need a new config setting. 
Interestingly the "Pragma: no-cache" is in the code but commented out.

Hm, I usally trust the specs, but may Ole has tested enough browsers and 
has a reason not to use "Pragma: no-cache" .

>>> My point was that some (like Ole) MAY want to allow private caching 
>>> but not proxy caching, though.
>>
>>
>> Something I don't understand in the current code. Private caching 
>> makes only sense if I set a max age otherwise it's odd that TYPO3 
>> explicitely allows client side caching of non-cachable data.
> 
> Tt is not that TYPO3 explicitely allows client side caching, it just 
> does not prevent IE from doing it (BTW: Firefox behaves different)

Sending "Cache-Control: private" allows it. If clients don't do what they 
are told to is another matter.

> I agree that
> - for accurate dynamic data or
> - for high security in a shared environment
> this should be done, or at least a short "Expires:" or similar should be 
> set (some do that by setting some global apache options).
> If your point ist just to prevent private data from appearing inside a 
> proxy cache, then the current "Cache-Control: private" is sufficient. 

My point was to force the client to refetch the document every time 
(accurate dynamic data).

> Again: The latter statement (like the rest) is only true if all 
> components behave in a legal manner; we have no control about them.

Well, that's true for most output - just think of what is done to the 
(x)html TYPO3 delivers ;-)

Masi