From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 30 Nov 2012 13:38:38 +0000 (-0700)
Subject: Treat no-cache as must-revalidate in Authentication
X-Git-Tag: SQUID_3_2_4~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8706eb0ae205048d85631bd31d078b679b15834f;p=thirdparty%2Fsquid.git

Treat no-cache as must-revalidate in Authentication

Wrapped as a violation because this operation is off-spec.

CC:no-cache was omitted from the HTTP spec apparently on grounds that
changing its caching effects on authentication would come as a surprise.
The actual operation is safe enough to use when parameterless no-cache
is treated strictly as an alias for must-revalidate (as done by Squid now).

Ref: http://lists.w3.org/Archives/Public/ietf-http-wg/2012OctDec/0387.html
---

diff --git a/src/http.cc b/src/http.cc
index 3bcd73ce01..6e72b1248a 100644
--- a/src/http.cc
+++ b/src/http.cc
@@ -395,25 +395,28 @@ HttpStateData::cacheableReply()
             return 0;
         }
 
-        // HTTPbis pt7 section 4.1 clause 3: a response CC:public is present
         bool mayStore = false;
+        // HTTPbis pt6 section 3.2: a response CC:public is present
         if (rep->cache_control->Public()) {
             debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public");
             mayStore = true;
 
-            // HTTPbis pt7 section 4.1 clause 2: a response CC:must-revalidate is present
+            // HTTPbis pt6 section 3.2: a response CC:must-revalidate is present
         } else if (rep->cache_control->mustRevalidate() && !REFRESH_OVERRIDE(ignore_must_revalidate)) {
             debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public");
             mayStore = true;
 
-#if 0 // waiting on HTTPbis WG agreement before we do this
+#if USE_HTTP_VIOLATIONS
             // NP: given the must-revalidate exception we should also be able to exempt no-cache.
-        } else if (rep->cache_control->noCache()) {
-            debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:no-cache");
+            // HTTPbis WG verdict on this is that it is omitted from the spec due to being 'unexpected' by
+            // some. The caching+revalidate is not exactly unsafe though with Squids interpretation of no-cache
+            // as equivalent to must-revalidate in the reply.
+        } else if (rep->cache_control->noCache() && !REFRESH_OVERRIDE(ignore_must_revalidate)) {
+            debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:no-cache (equivalent to must-revalidate)");
             mayStore = true;
 #endif
 
-            // HTTPbis pt7 section 4.1 clause 1: a response CC:s-maxage is present
+            // HTTPbis pt6 section 3.2: a response CC:s-maxage is present
         } else if (rep->cache_control->sMaxAge()) {
             debugs(22, 3, HERE << " Authenticated but server reply Cache-Control:s-maxage");
             mayStore = true;