[Openid-specs-ab] Form Post Response Mode example has 'Pragma: no-cache'

Brian Campbell bcampbell at pingidentity.com
Thu Feb 19 23:24:43 UTC 2015


The example in Form Post Response Mode already has "Cache-Control:
no-store", which I believe is sufficient. So the proposed change here would
be just to delete the "Pragma: no-cache" bit.

Other than that caveat, my personal answers to the questions Mike posed
would also be “yes” and “yes”.

Yes, I'll send a note to the OAuth WG.

On Thu, Feb 19, 2015 at 4:08 PM, Mike Jones <Michael.Jones at microsoft.com>
wrote:

>  First question to the working group:  Do we agree that "Pragma: no-cache"
> should be changed to "Cache-Control: no-cache" in the Form Post Response
> Mode spec before approval?
>
>
>
> Second question to the working group:  If we agree to make this change (to
> text that only occurs in a non-normative example), are people comfortable
> doing this without restarting the 60 day review period (but still notifying
> people of the change)?
>
>
>
> My personal answers would be “yes” and “yes” but we shouldn’t do this at
> this point unless there’s working group consensus to do so.
>
>
>
> Brian, could you also send a note to the OAuth working group pointing this
> problem with RFC 6749 and RFC 6750 and asking whether errata should be
> filed?  This would help get more expert eyes on the issue.
>
>
>
> Thanks for bringing this to our attention, Brian!
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] *On
> Behalf Of *Brian Campbell
> *Sent:* Thursday, February 19, 2015 2:17 PM
> *To:* <openid-specs-ab at lists.openid.net>
> *Subject:* [Openid-specs-ab] Form Post Response Mode example has 'Pragma:
> no-cache'
>
>
>
> The example response in
> http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-03.html#FormPostResponseExample
> has a "Pragma: no-cache" response header.
>
> However both RFC 2616 <http://tools.ietf.org/html/rfc2616#section-14.32>
> and the shiny new RFC 7234
> <https://tools.ietf.org/html/rfc7234#section-5.4> make special note along
> the lines of the following to say that it doesn't work as response header:
>
>
>       'Note: Because the meaning of "Pragma: no-cache" in responses is
>
>       not specified, it does not provide a reliable replacement for
>
>       "Cache-Control: no-cache" in them.'
>
>
> It doesn't really hurt anything having it in the Form Post Response Mode
> document but I'm thinking it'd be better to not further perpetuate the
> "Pragma: no-cache" response header myth in this specification* and that
> that line should probably be removed from the example.
>
> Or am I wrong on this? And if so, what am I missing?
>
>
>
> * And, yeah, it's in Connect Core and OAuth 2.0 as well but I figured
> starting with a draft that wasn't yet final was good.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150219/6cef9010/attachment-0001.html>


More information about the Openid-specs-ab mailing list