Storing responses with Authentication #161
… be stored In httpwg#161, the suggestion was made to explicitly note when a directive allows the response to be cached, even with Authorization being used. According to section `caching.authenticated.responses`, `public` also has this effect, so I added a note there. Additionally, in `cache-response-directive.s-maxage`, I tried to make it clearer that `s-maxage` overrides Authorization as well, due to the implication of proxy-revalidate and thus must-revalidate.
I think this issue needs to be reopened and the specification text reverted to something more like what was in RFC2616. That spec specifically requires public be present to allow responses to a request with Authorization to be stored by a shared cache, regardless of must-revalidate or proxy-revalidate. This is not implied by those other directives.