Opened 6 years ago
Closed 6 years ago
#28833 closed Cleanup/optimization (fixed)
"Cache-Control: private" responses should not be cached by server
| Reported by: | Nathan Vander Wilt | Owned by: | shangdahao |
|---|---|---|---|
| Component: | HTTP handling | Version: | 1.8 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If the "Cache-Control: private" directive is set on a response, it must not be stored in a shared cache. Django's serverside caching system is a shared cache, but stores such responses anyway.
A response such as
Cache-Control: private Content-Type: text/plain Here is your own special random number: 42
should be cacheable only by the user's own browser [more or less], but Django currently reuses the response for subsequent requests from anyone.
Some workarounds might be:
- use @never_cache or similar to ensure a max-age of 0 which is respected by the cache middleware, but also prevents the users own private cache from storing
- make sure the response varies on something private to the user (i.e.
Vary: Cookie) in which case the entry will still be stored in a shared — but now less accessible — manner
Change History (4)
comment:1 by , 6 years ago
| Component: | Core (Cache system) → HTTP handling |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Cleanup/optimization |
comment:4 by , 6 years ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
comment:5 by , 6 years ago
| Has patch: | set |
|---|
Note:
See TracTickets
for help on using tickets.
PR