[whatwg] Solving the login/logout problem in HTML
Martin Atkins
mart at degeneration.co.uk
Wed Nov 26 14:40:33 PST 2008
Julian Reschke wrote:
>
> You can already handle the case of content that's available
> unauthenticated, but would potentially differ in case of being
> authenticated by adding
>
> Vary: Authorization
>
> to a response.
>
According to section 14.8 of the HTTP 1.1 specification, the presence of
the Authorization header field implies that the response varies by
Authorization:
When a shared cache (see section 13.7) receives a request
containing an Authorization field, it MUST NOT return the
corresponding response as a reply to any other request, unless one
of the following specific exceptions holds:
[some exceptions in the presence of cache-control directives]
My understanding of this is that "Vary: Authorization" is effectively
implied for all HTTP responses.
More information about the whatwg
mailing list