<div dir="ltr">I think it'd be okay to have the "no-cache" directive the example as well, if folks are keen on that. But it doesn't replace "no-store". The example could have both like, "Cache-Control: no-cache, no-store". I don't think it's necessary as "no-store" is the stricter but I think it's okay to have it there too.  <br><br>On the <a href="http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20150223/005280.html">call yesterday</a> I asked if folks thought there should also be normative text in the Form Post Response Mode doc about not caching the authorization response containing the auto-submitting HTML form. There's some text in <a href="http://tools.ietf.org/html/rfc6749#section-5.1">§5.1 of RFC 6749 / <span style="background-color:rgb(255,255,255)"><span tabindex="-1" id=":40n.1" style="background-image:none;background-repeat:repeat" class="">OAuth</span></span> 2.0 </a>that could be interpreted as obviating the need for it, which says that the 'authorization server MUST include the HTTP "Cache-Control" response header field [RFC2616] with a value of "no-store" in any response containing tokens, credentials, or other sensitive information'.  However, that's in a section about the token endpoint and so could also be interpreted as not applying to the authorization response from the authorization endpoint at all. Thus, I'm (sorta) proposing to add the following sentence to the end of <a href="http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#FormPostResponseMode">§2 of OAuth 2.0 Form Post Response Mode</a>, 'Because the Authorization Response contains sensitive information, the Authorization Server MUST include the HTTP "Cache-Control" response header field [RFC2616] with a value of "no-store" in the response.'<br><br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 23, 2015 at 4:55 PM, Brian Campbell <span dir="ltr"><<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>But that text is about directives on the cache-control _request_ header.  <br><br></div>The directives in question here are on the _response_. <br><br><a href="https://tools.ietf.org/html/rfc7234#section-5.2.2" target="_blank">https://tools.ietf.org/html/rfc7234#section-5.2.2</a> is about the response directives. With <a href="https://tools.ietf.org/html/rfc7234#section-5.2.2.3" target="_blank">https://tools.ietf.org/html/rfc7234#section-5.2.2.3</a> saying this about "no-store",<br><br><pre>   The "no-store" response directive indicates that a cache MUST NOT
   store any part of either the immediate request or response.  This
   directive applies to both private and shared caches.  "MUST NOT
   store" in this context means that the cache MUST NOT intentionally
   store the information in non-volatile storage, and MUST make a
   best-effort attempt to remove the information from volatile storage
   as promptly as possible after forwarding it.<br><br></pre>While "no-cache" at <a href="https://tools.ietf.org/html/rfc7234#section-5.2.2.2" target="_blank">https://tools.ietf.org/html/rfc7234#section-5.2.2.2</a> isn't as strong:<br><br><pre>   The "no-cache" response directive indicates that the response MUST
   NOT be used to satisfy a subsequent request without successful
   validation on the origin server.  This allows an origin server to
   prevent a cache from using it to satisfy a request without contacting
   it, even by caches that have been configured to send stale responses.</pre><br><br><br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 23, 2015 at 4:39 PM, Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Brian, “Cache-control: no-store” does not seem to imply “Cache-control: no-cache”.  I say that because of this sentence in 5.2.1.5 of
<a href="https://tools.ietf.org/html/rfc7234#section-5.2.1" target="_blank">https://tools.ietf.org/html/rfc7234#section-5.2.1</a>:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN">   Note that if a request containing this directive is satisfied from a<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN">   cache, the no-store request directive does not apply to the already<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN">   stored response.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Therefore, to be safe, I believe that we have to replace the “Pragma: no-cache” in our example with “Cache-control: no-cache”.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Do people agree with that conclusion?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">                                                            -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> John Bradley [mailto:<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Thursday, February 19, 2015 7:19 PM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> Brian Campbell; <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Subject:</b> Re: [Openid-specs-ab] Form Post Response Mode example has 'Pragma: no-cache'<u></u><u></u></span></p>
</div>
</div><div><div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Yes and yes.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Feb 19, 2015, at 5:08 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">First question to the working group:  Do we agree that<span> </span></span>"Pragma: no-cache"<span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">should
 be changed to<span> </span></span>"Cache-Control: no-cache"<span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">in
 the Form Post Response Mode spec before approval?</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Second question to the working group:  If we agree to make this change (to text that only occurs in a non-normative example), are people comfortable doing this
 without restarting the 60 day review period (but still notifying people of the change)?</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">My personal answers would be “yes” and “yes” but we shouldn’t do this at this point unless there’s working group consensus to do so.</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Brian, could you also send a note to the OAuth working group pointing this problem with RFC 6749 and RFC 6750 and asking whether errata should be filed?  This
 would help get more expert eyes on the issue.</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks for bringing this to our attention, Brian!</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">                                                                -- Mike</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span></span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Openid-specs-ab
 [<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">mailto:openid-specs-ab-bounces@lists.openid.net</a>]<span> </span><b>On Behalf Of<span> </span></b>Brian Campbell<br>
<b>Sent:</b><span> </span>Thursday, February 19, 2015 2:17 PM<br>
<b>To:</b><span> </span><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Subject:</b><span> </span>[Openid-specs-ab] Form Post Response Mode example has 'Pragma: no-cache'</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">The example response in<span> </span><a href="http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-03.html#FormPostResponseExample" target="_blank"><span style="color:purple">http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-03.html#FormPostResponseExample</span></a><span> </span>has
 a "Pragma: no-cache" response header.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">However both<span> </span><a href="http://tools.ietf.org/html/rfc2616#section-14.32" target="_blank"><span style="color:purple">RFC 2616</span></a><span> </span>and the shiny new<span> </span><a href="https://tools.ietf.org/html/rfc7234#section-5.4" target="_blank"><span style="color:purple">RFC
 7234</span></a><span> </span>make special note along the lines of the following to say that it doesn't work as response header:<br>
<br>
<br>
<br>
<u></u><u></u></p>
</div>
<pre><span style="font-size:12.0pt">     'Note: Because the meaning of "Pragma: no-cache" in responses is</span><u></u><u></u></pre>
<pre><span style="font-size:12.0pt">      not specified, it does not provide a reliable replacement for</span><u></u><u></u></pre>
<pre><span style="font-size:12.0pt">      "Cache-Control: no-cache" in them.'</span><u></u><u></u></pre>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
It doesn't really hurt anything having it in the Form Post Response Mode document but I'm thinking it'd be better to not further perpetuate the "Pragma: no-cache" response header myth in this specification* and that that line should probably be removed from
 the example.<u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">Or am I wrong on this? And if so, what am I missing?<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">* And, yeah, it's in Connect Core and OAuth 2.0 as well but I figured starting with a draft that wasn't yet final was good.<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><u></u><u></u></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div>
</div>

</blockquote></div><br></div>
</div></div></blockquote></div><br></div>