<div dir="ltr"><div><div>The example in Form Post Response Mode already has "Cache-Control: no-store", which I believe is sufficient. So the proposed change here would be just to delete the "Pragma: no-cache" bit.<br><br></div>Other than that caveat, my personal answers to the questions Mike posed would also be “yes” and “yes”.<br><br></div>Yes, I'll send a note to the OAuth WG. <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 19, 2015 at 4:08 PM, Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">First question to the working group: Do we agree that
</span><span style="color:black">"Pragma: no-cache"</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> should be changed to
</span><span style="color:black">"Cache-Control: no-cache"</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> in the Form Post Response Mode spec before approval?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Second question to the working group: If we agree to make this change (to text that only occurs in a non-normative example), are people comfortable doing this
without restarting the 60 day review period (but still notifying people of the change)?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">My personal answers would be “yes” and “yes” but we shouldn’t do this at this point unless there’s working group consensus to do so.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Brian, could you also send a note to the OAuth working group pointing this problem with RFC 6749 and RFC 6750 and asking whether errata should be filed? This
would help get more expert eyes on the issue.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks for bringing this to our attention, Brian!<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-ab [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Brian Campbell<br>
<b>Sent:</b> Thursday, February 19, 2015 2:17 PM<br>
<b>To:</b> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Subject:</b> [Openid-specs-ab] Form Post Response Mode example has 'Pragma: no-cache'<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">The example response in <a href="http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-03.html#FormPostResponseExample" target="_blank">
http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-03.html#FormPostResponseExample</a> has a "Pragma: no-cache" response header.<u></u><u></u></p>
</div>
<p class="MsoNormal">However both <a href="http://tools.ietf.org/html/rfc2616#section-14.32" target="_blank">
RFC 2616</a> and the shiny new <a href="https://tools.ietf.org/html/rfc7234#section-5.4" target="_blank">
RFC 7234</a> make special note along the lines of the following to say that it doesn't work as response header:<br>
<br>
<br>
<u></u><u></u></p>
<pre><span style="font-size:12.0pt;color:black"> 'Note: Because the meaning of "Pragma: no-cache" in responses is<u></u><u></u></span></pre>
<pre><span style="font-size:12.0pt;color:black"> not specified, it does not provide a reliable replacement for<u></u><u></u></span></pre>
<pre><span style="font-size:12.0pt;color:black"> "Cache-Control: no-cache" in them.'<u></u><u></u></span></pre>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
It doesn't really hurt anything having it in the Form Post Response Mode document but I'm thinking it'd be better to not further perpetuate the "Pragma: no-cache" response header myth in this specification* and that that line should probably be removed from
the example.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Or am I wrong on this? And if so, what am I missing?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
</div>
<p class="MsoNormal">* And, yeah, it's in Connect Core and OAuth 2.0 as well but I figured starting with a draft that wasn't yet final was good.
<u></u><u></u></p>
</div>
</div></div></div>
</div>
</blockquote></div><br></div>