When you revalidate, make sure that you aren't revalidating unauthent…

…icated gunk
httpwg · Jan 3, 2017 · 54647b3 · 54647b3
1 parent 321073c
commit 54647b3
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/draft-ietf-httpbis-http2-encryption.md b/draft-ietf-httpbis-http2-encryption.md
@@ -201,6 +201,11 @@ Any strongly authenticated alternative service can provide this response.  That
 the http-opportunistic response is valid, any authenticated alternative service can be used for
 that origin.
 
+Clients that use cached http-opportunistic responses MUST ensure that their cache is cleared of
+any responses that were acquired over an unauthenticated connection.  Revalidating an
+unauthenticated response using an authenticated connection does not ensure the integrity of the
+response.
+
 
 # IANA Considerations