Mark Nottingham
Mark Nottingham
The security (and interoperablity) considerations mostly fall on servers in terms of what they send hints to (because some clients don't handle them well); a client artificially constraining whether they...
Current cookie spec [says](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-ignoring-set-cookie-header-): > User agents MAY ignore Set-Cookie header fields contained in responses with 100-level status codes or based on its cookie policy (see [Section 7.2](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#cookie-policy)).
Parameters do complicate things. Also, it'd be good to distinguish between `Token` and `String` if it's going to be (re-)serialised. And don't forget we're adding `Date` and perhaps a separate...
Note that the [revision](https://httpwg.org/http-extensions/draft-ietf-httpbis-sfbis.html) is adding Dates and Display Strings (i.e., unicode).
Update: it looks like Safari does *not* follow the condition for setting `Pragma` and `Cache-Control` if the request headers contain `Range`. Weird.
@annevk should I do a PR?
s/transparent proxies/all upstream caches/ -- yes.
Implementer convenience is not what we should be optimising for. AIUI Fetch is a low-level HTTP API -- as per [EWM](https://extensiblewebmanifesto.org/) -- and that means it should not impose its...
#852 seems to have added a `prevent no-cache cache-control header modification flag` that at least offers control over `no-cache`, even if the default hasn't changed and it doesn't address `no-store`.