-
Notifications
You must be signed in to change notification settings - Fork 672
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refs #3150 can pass description to RSS page shell
- Loading branch information
Showing
1 changed file
with
25 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ba2a853
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that a way to spook on people? How do you cache encrypted contents? Once per request?
https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=ieinternals&y=2010&m=04&d=21&WeblogPostName=internet-explorer-may-bypass-cache-for-cross-domain-https-content&GroupKeys=
After reading (this blog article on IE Internals)[https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=ieinternals&y=2009&m=10&d=02&WeblogPostName=internet-explorer-cannot-download-over-https-when-no-cache&GroupKeys=], and (that one by the same author)[https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=ieinternals&y=2010&m=04&d=21&WeblogPostName=internet-explorer-may-bypass-cache-for-cross-domain-https-content&GroupKeys=], I'm a bit confused at how IE handles caching. But Cache-Control: public means that the response MAY be cached by any cache, even if it would normally be non-cacheable or cacheable only within a non- shared cache, hence my initial question.
On Firefox, (about:cache?device=disk)[about:cache?device=disk] shows that HTTPS content is cached to disk when Cache-Control: public is set. On IE, says Eric Law in the blogs mentioned above, "you CAN specify Cache-Control: no-store, no-cache and the download will work, but if you specify these directives in the opposite order, it will fail."
Overall, this feature can become a privacy issue on IE and other browsers. Maybe Cache-Control: no-store, no-cache would provide a better solution, privacy-wise, at the cost of additional work for RSS readers.
ba2a853
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, this commit did not actually add this header override. That's been around since some version of 1.7. We discovered the issue when Outlook users were reporting that they couldn't read RSS feeds from Elgg when the Elgg site was using SSL. That's a common use case for those using Elgg on corporate intranets. Debugging this is a pain since I don't have easy access to Outlook (and really I would need access to the major versions of Outlook - 2003, 2007, etc.). We would need to find test users to evaluate other solutions.