idnits 2.17.1 draft-ietf-httpbis-p6-cache-24.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document obsoletes RFC2616, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 25, 2013) is 3866 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p1-messaging-24 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p2-semantics-24 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p4-conditional-24 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p5-range-24 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p7-auth-24 -- Obsolete informational reference (is this intentional?): RFC 1305 (Obsoleted by RFC 5905) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTPbis Working Group R. Fielding, Ed. 3 Internet-Draft Adobe 4 Obsoletes: 2616 (if approved) M. Nottingham, Ed. 5 Intended status: Standards Track Akamai 6 Expires: March 29, 2014 J. Reschke, Ed. 7 greenbytes 8 September 25, 2013 10 Hypertext Transfer Protocol (HTTP/1.1): Caching 11 draft-ietf-httpbis-p6-cache-24 13 Abstract 15 The Hypertext Transfer Protocol (HTTP) is an application-level 16 protocol for distributed, collaborative, hypertext information 17 systems. This document defines requirements on HTTP caches and the 18 associated header fields that control cache behavior or indicate 19 cacheable response messages. 21 Editorial Note (To be removed by RFC Editor) 23 Discussion of this draft takes place on the HTTPBIS working group 24 mailing list (ietf-http-wg@w3.org), which is archived at 25 . 27 The current issues list is at 28 and related 29 documents (including fancy diffs) can be found at 30 . 32 The changes in this draft are summarized in Appendix D.5. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at http://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on March 29, 2014. 50 Copyright Notice 52 Copyright (c) 2013 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 This document may contain material from IETF Documents or IETF 66 Contributions published or made publicly available before November 67 10, 2008. The person(s) controlling the copyright in some of this 68 material may not have granted the IETF Trust the right to allow 69 modifications of such material outside the IETF Standards Process. 70 Without obtaining an adequate license from the person(s) controlling 71 the copyright in such materials, this document may not be modified 72 outside the IETF Standards Process, and derivative works of it may 73 not be created outside the IETF Standards Process, except to format 74 it for publication as an RFC or to translate it into languages other 75 than English. 77 Table of Contents 79 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 80 1.1. Conformance and Error Handling . . . . . . . . . . . . . . 4 81 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 4 82 1.2.1. Delta Seconds . . . . . . . . . . . . . . . . . . . . 5 83 2. Overview of Cache Operation . . . . . . . . . . . . . . . . . 5 84 3. Storing Responses in Caches . . . . . . . . . . . . . . . . . 6 85 3.1. Storing Incomplete Responses . . . . . . . . . . . . . . . 7 86 3.2. Storing Responses to Authenticated Requests . . . . . . . 7 87 3.3. Combining Partial Content . . . . . . . . . . . . . . . . 7 88 4. Constructing Responses from Caches . . . . . . . . . . . . . . 8 89 4.1. Calculating Secondary Keys with Vary . . . . . . . . . . . 9 90 4.2. Freshness . . . . . . . . . . . . . . . . . . . . . . . . 10 91 4.2.1. Calculating Freshness Lifetime . . . . . . . . . . . . 12 92 4.2.2. Calculating Heuristic Freshness . . . . . . . . . . . 12 93 4.2.3. Calculating Age . . . . . . . . . . . . . . . . . . . 13 94 4.2.4. Serving Stale Responses . . . . . . . . . . . . . . . 14 95 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . . 15 96 4.3.1. Sending a Validation Request . . . . . . . . . . . . . 15 97 4.3.2. Handling a Received Validation Request . . . . . . . . 16 98 4.3.3. Handling a Validation Response . . . . . . . . . . . . 17 99 4.3.4. Freshening Stored Responses upon Validation . . . . . 18 100 4.3.5. Freshening Responses via HEAD . . . . . . . . . . . . 18 101 4.4. Invalidation . . . . . . . . . . . . . . . . . . . . . . . 19 102 5. Header Field Definitions . . . . . . . . . . . . . . . . . . . 20 103 5.1. Age . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 104 5.2. Cache-Control . . . . . . . . . . . . . . . . . . . . . . 20 105 5.2.1. Request Cache-Control Directives . . . . . . . . . . . 21 106 5.2.2. Response Cache-Control Directives . . . . . . . . . . 23 107 5.2.3. Cache Control Extensions . . . . . . . . . . . . . . . 26 108 5.3. Expires . . . . . . . . . . . . . . . . . . . . . . . . . 27 109 5.4. Pragma . . . . . . . . . . . . . . . . . . . . . . . . . . 28 110 5.5. Warning . . . . . . . . . . . . . . . . . . . . . . . . . 29 111 5.5.1. Warning: 110 - "Response is Stale" . . . . . . . . . . 30 112 5.5.2. Warning: 111 - "Revalidation Failed" . . . . . . . . . 31 113 5.5.3. Warning: 112 - "Disconnected Operation" . . . . . . . 31 114 5.5.4. Warning: 113 - "Heuristic Expiration" . . . . . . . . 31 115 5.5.5. Warning: 199 - "Miscellaneous Warning" . . . . . . . . 31 116 5.5.6. Warning: 214 - "Transformation Applied" . . . . . . . 31 117 5.5.7. Warning: 299 - "Miscellaneous Persistent Warning" . . 31 118 6. History Lists . . . . . . . . . . . . . . . . . . . . . . . . 31 119 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 120 7.1. Cache Directive Registry . . . . . . . . . . . . . . . . . 32 121 7.1.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 32 122 7.1.2. Considerations for New Cache Control Directives . . . 32 123 7.1.3. Registrations . . . . . . . . . . . . . . . . . . . . 32 124 7.2. Warn Code Registry . . . . . . . . . . . . . . . . . . . . 33 125 7.2.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 33 126 7.2.2. Registrations . . . . . . . . . . . . . . . . . . . . 33 127 7.3. Header Field Registration . . . . . . . . . . . . . . . . 34 128 8. Security Considerations . . . . . . . . . . . . . . . . . . . 34 129 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35 130 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 35 131 10.1. Normative References . . . . . . . . . . . . . . . . . . . 35 132 10.2. Informative References . . . . . . . . . . . . . . . . . . 36 133 Appendix A. Changes from RFC 2616 . . . . . . . . . . . . . . . . 36 134 Appendix B. Imported ABNF . . . . . . . . . . . . . . . . . . . . 38 135 Appendix C. Collected ABNF . . . . . . . . . . . . . . . . . . . 38 136 Appendix D. Change Log (to be removed by RFC Editor before 137 publication) . . . . . . . . . . . . . . . . . . . . 39 138 D.1. Since draft-ietf-httpbis-p6-cache-19 . . . . . . . . . . . 40 139 D.2. Since draft-ietf-httpbis-p6-cache-20 . . . . . . . . . . . 40 140 D.3. Since draft-ietf-httpbis-p6-cache-21 . . . . . . . . . . . 41 141 D.4. Since draft-ietf-httpbis-p6-cache-22 . . . . . . . . . . . 41 142 D.5. Since draft-ietf-httpbis-p6-cache-23 . . . . . . . . . . . 41 143 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 145 1. Introduction 147 HTTP is typically used for distributed information systems, where 148 performance can be improved by the use of response caches. This 149 document defines aspects of HTTP/1.1 related to caching and reusing 150 response messages. 152 An HTTP cache is a local store of response messages and the subsystem 153 that controls storage, retrieval, and deletion of messages in it. A 154 cache stores cacheable responses in order to reduce the response time 155 and network bandwidth consumption on future, equivalent requests. 156 Any client or server MAY employ a cache, though a cache cannot be 157 used by a server that is acting as a tunnel. 159 A shared cache is a cache that stores responses to be reused by more 160 than one user; shared caches are usually (but not always) deployed as 161 a part of an intermediary. A private cache, in contrast, is 162 dedicated to a single user. 164 The goal of caching in HTTP/1.1 is to significantly improve 165 performance by reusing a prior response message to satisfy a current 166 request. A stored response is considered "fresh", as defined in 167 Section 4.2, if the response can be reused without "validation" 168 (checking with the origin server to see if the cached response 169 remains valid for this request). A fresh response can therefore 170 reduce both latency and network overhead each time it is reused. 171 When a cached response is not fresh, it might still be reusable if it 172 can be freshened by validation (Section 4.3) or if the origin is 173 unavailable (Section 4.2.4). 175 1.1. Conformance and Error Handling 177 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 178 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 179 document are to be interpreted as described in [RFC2119]. 181 Conformance criteria and considerations regarding error handling are 182 defined in Section 2.5 of [Part1]. 184 1.2. Syntax Notation 186 This specification uses the Augmented Backus-Naur Form (ABNF) 187 notation of [RFC5234] with the list rule extension defined in Section 188 7 of [Part1]. Appendix B describes rules imported from other 189 documents. Appendix C shows the collected ABNF with the list rule 190 expanded. 192 1.2.1. Delta Seconds 194 The delta-seconds rule specifies a non-negative integer, representing 195 time in seconds. 197 delta-seconds = 1*DIGIT 199 If a cache receives a delta-seconds value larger than the largest 200 positive integer it can represent, or if any of its subsequent 201 calculations overflows, the cache MUST consider the value to be 202 2147483648 (2^31). A recipient parsing a delta-seconds value MUST 203 use an arithmetic type of at least 31 bits of range, and a sender 204 MUST NOT generate delta-seconds with a value greater than 2147483648. 206 2. Overview of Cache Operation 208 Proper cache operation preserves the semantics of HTTP transfers 209 ([Part2]) while eliminating the transfer of information already held 210 in the cache. Although caching is an entirely OPTIONAL feature of 211 HTTP, we assume that reusing the cached response is desirable and 212 that such reuse is the default behavior when no requirement or local 213 configuration prevents it. Therefore, HTTP cache requirements are 214 focused on preventing a cache from either storing a non-reusable 215 response or reusing a stored response inappropriately, rather than 216 mandating that caches always store and reuse particular responses. 218 Each cache entry consists of a cache key and one or more HTTP 219 responses corresponding to prior requests that used the same key. 220 The most common form of cache entry is a successful result of a 221 retrieval request: i.e., a 200 (OK) response to a GET request, which 222 contains a representation of the resource identified by the request 223 target (Section 4.3.1 of [Part2]). However, it is also possible to 224 cache permanent redirects, negative results (e.g., 404 (Not Found)), 225 incomplete results (e.g., 206 (Partial Content)), and responses to 226 methods other than GET if the method's definition allows such caching 227 and defines something suitable for use as a cache key. 229 The primary cache key consists of the request method and target URI. 230 However, since HTTP caches in common use today are typically limited 231 to caching responses to GET, many caches simply decline other methods 232 and use only the URI as the primary cache key. 234 If a request target is subject to content negotiation, its cache 235 entry might consist of multiple stored responses, each differentiated 236 by a secondary key for the values of the original request's selecting 237 header fields (Section 4.1). 239 3. Storing Responses in Caches 241 A cache MUST NOT store a response to any request, unless: 243 o The request method is understood by the cache and defined as being 244 cacheable, and 246 o the response status code is understood by the cache, and 248 o the "no-store" cache directive (see Section 5.2) does not appear 249 in request or response header fields, and 251 o the "private" cache response directive (see Section 5.2.2.6) does 252 not appear in the response, if the cache is shared, and 254 o the Authorization header field (see Section 4.1 of [Part7]) does 255 not appear in the request, if the cache is shared, unless the 256 response explicitly allows it (see Section 3.2), and 258 o the response either: 260 * contains an Expires header field (see Section 5.3), or 262 * contains a max-age response cache directive (see 263 Section 5.2.2.8), or 265 * contains a s-maxage response cache directive (see 266 Section 5.2.2.9) and the cache is shared, or 268 * contains a Cache Control Extension (see Section 5.2.3) that 269 allows it to be cached, or 271 * has a status code that is defined as cacheable (see 272 Section 4.2.2), or 274 * contains a public response cache directive (see 275 Section 5.2.2.5). 277 Note that any of the requirements listed above can be overridden by a 278 cache-control extension; see Section 5.2.3. 280 In this context, a cache has "understood" a request method or a 281 response status code if it recognizes it and implements all specified 282 caching-related behavior. 284 Note that, in normal operation, some caches will not store a response 285 that has neither a cache validator nor an explicit expiration time, 286 as such responses are not usually useful to store. However, caches 287 are not prohibited from storing such responses. 289 3.1. Storing Incomplete Responses 291 A response message is considered complete when all of the octets 292 indicated by the message framing ([Part1]) are received prior to the 293 connection being closed. If the request method is GET, the response 294 status code is 200 (OK), and the entire response header section has 295 been received, a cache MAY store an incomplete response message body 296 if the cache entry is recorded as incomplete. Likewise, a 206 297 (Partial Content) response MAY be stored as if it were an incomplete 298 200 (OK) cache entry. However, a cache MUST NOT store incomplete or 299 partial content responses if it does not support the Range and 300 Content-Range header fields or if it does not understand the range 301 units used in those fields. 303 A cache MAY complete a stored incomplete response by making a 304 subsequent range request ([Part5]) and combining the successful 305 response with the stored entry, as defined in Section 3.3. A cache 306 MUST NOT use an incomplete response to answer requests unless the 307 response has been made complete or the request is partial and 308 specifies a range that is wholly within the incomplete response. A 309 cache MUST NOT send a partial response to a client without explicitly 310 marking it as such using the 206 (Partial Content) status code. 312 3.2. Storing Responses to Authenticated Requests 314 A shared cache MUST NOT use a cached response to a request with an 315 Authorization header field (Section 4.1 of [Part7]) to satisfy any 316 subsequent request unless a cache directive that allows such 317 responses to be stored is present in the response. 319 In this specification, the following Cache-Control response 320 directives (Section 5.2.2) have such an effect: must-revalidate, 321 public, s-maxage. 323 Note that cached responses that contain the "must-revalidate" and/or 324 "s-maxage" response directives are not allowed to be served stale 325 (Section 4.2.4) by shared caches. In particular, a response with 326 either "max-age=0, must-revalidate" or "s-maxage=0" cannot be used to 327 satisfy a subsequent request without revalidating it on the origin 328 server. 330 3.3. Combining Partial Content 332 A response might transfer only a partial representation if the 333 connection closed prematurely or if the request used one or more 334 Range specifiers ([Part5]). After several such transfers, a cache 335 might have received several ranges of the same representation. A 336 cache MAY combine these ranges into a single stored response, and 337 reuse that response to satisfy later requests, if they all share the 338 same strong validator and the cache complies with the client 339 requirements in Section 4.3 of [Part5]. 341 When combining the new response with one or more stored responses, a 342 cache MUST: 344 o delete any Warning header fields in the stored response with warn- 345 code 1xx (see Section 5.5); 347 o retain any Warning header fields in the stored response with warn- 348 code 2xx; and, 350 o use other header fields provided in the new response, aside from 351 Content-Range, to replace all instances of the corresponding 352 header fields in the stored response. 354 4. Constructing Responses from Caches 356 When presented with a request, a cache MUST NOT reuse a stored 357 response, unless: 359 o The presented effective request URI (Section 5.5 of [Part1]) and 360 that of the stored response match, and 362 o the request method associated with the stored response allows it 363 to be used for the presented request, and 365 o selecting header fields nominated by the stored response (if any) 366 match those presented (see Section 4.1), and 368 o the presented request does not contain the no-cache pragma 369 (Section 5.4), nor the no-cache cache directive (Section 5.2.1), 370 unless the stored response is successfully validated 371 (Section 4.3), and 373 o the stored response does not contain the no-cache cache directive 374 (Section 5.2.2.2), unless it is successfully validated 375 (Section 4.3), and 377 o the stored response is either: 379 * fresh (see Section 4.2), or 381 * allowed to be served stale (see Section 4.2.4), or 382 * successfully validated (see Section 4.3). 384 Note that any of the requirements listed above can be overridden by a 385 cache-control extension; see Section 5.2.3. 387 When a stored response is used to satisfy a request without 388 validation, a cache MUST generate an Age header field (Section 5.1), 389 replacing any present in the response with a value equal to the 390 stored response's current_age; see Section 4.2.3. 392 A cache MUST write through requests with methods that are unsafe 393 (Section 4.2.1 of [Part2]) to the origin server; i.e., a cache is not 394 allowed to generate a reply to such a request before having forwarded 395 the request and having received a corresponding response. 397 Also, note that unsafe requests might invalidate already stored 398 responses; see Section 4.4. 400 When more than one suitable response is stored, a cache MUST use the 401 most recent response (as determined by the Date header field). It 402 can also forward the request with "Cache-Control: max-age=0" or 403 "Cache-Control: no-cache" to disambiguate which response to use. 405 A cache that does not have a clock available MUST NOT use stored 406 responses without revalidating them upon every use. 408 4.1. Calculating Secondary Keys with Vary 410 When a cache receives a request that can be satisfied by a stored 411 response that has a Vary header field (Section 7.1.4 of [Part2]), it 412 MUST NOT use that response unless all of the selecting header fields 413 nominated by the Vary header field match in both the original request 414 (i.e., that associated with the stored response), and the presented 415 request. 417 The selecting header fields from two requests are defined to match if 418 and only if those in the first request can be transformed to those in 419 the second request by applying any of the following: 421 o adding or removing whitespace, where allowed in the header field's 422 syntax 424 o combining multiple header fields with the same field name (see 425 Section 3.2 of [Part1]) 427 o normalizing both header field values in a way that is known to 428 have identical semantics, according to the header field's 429 specification (e.g., re-ordering field values when order is not 430 significant; case-normalization, where values are defined to be 431 case-insensitive) 433 If (after any normalization that might take place) a header field is 434 absent from a request, it can only match another request if it is 435 also absent there. 437 A Vary header field-value of "*" always fails to match. 439 The stored response with matching selecting header fields is known as 440 the selected response. 442 If multiple selected responses are available (potentially including 443 responses without a Vary header field), the cache will need to choose 444 one to use. When a selecting header field has a known mechanism for 445 doing so (e.g., qvalues on Accept and similar request header fields), 446 that mechanism MAY be used to select preferred responses; of the 447 remainder, the most recent response (as determined by the Date header 448 field) is used, as per Section 4. 450 If no selected response is available, the cache cannot satisfy the 451 presented request. Typically, it is forwarded to the origin server 452 in a (possibly conditional; see Section 4.3) request. 454 4.2. Freshness 456 A fresh response is one whose age has not yet exceeded its freshness 457 lifetime. Conversely, a stale response is one where it has. 459 A response's freshness lifetime is the length of time between its 460 generation by the origin server and its expiration time. An explicit 461 expiration time is the time at which the origin server intends that a 462 stored response can no longer be used by a cache without further 463 validation, whereas a heuristic expiration time is assigned by a 464 cache when no explicit expiration time is available. 466 A response's age is the time that has passed since it was generated 467 by, or successfully validated with, the origin server. 469 When a response is "fresh" in the cache, it can be used to satisfy 470 subsequent requests without contacting the origin server, thereby 471 improving efficiency. 473 The primary mechanism for determining freshness is for an origin 474 server to provide an explicit expiration time in the future, using 475 either the Expires header field (Section 5.3) or the max-age response 476 cache directive (Section 5.2.2.8). Generally, origin servers will 477 assign future explicit expiration times to responses in the belief 478 that the representation is not likely to change in a semantically 479 significant way before the expiration time is reached. 481 If an origin server wishes to force a cache to validate every 482 request, it can assign an explicit expiration time in the past to 483 indicate that the response is already stale. Compliant caches will 484 normally validate a stale cached response before reusing it for 485 subsequent requests (see Section 4.2.4). 487 Since origin servers do not always provide explicit expiration times, 488 caches are also allowed to use a heuristic to determine an expiration 489 time under certain circumstances (see Section 4.2.2). 491 The calculation to determine if a response is fresh is: 493 response_is_fresh = (freshness_lifetime > current_age) 495 freshness_lifetime is defined in Section 4.2.1; current_age is 496 defined in Section 4.2.3. 498 Clients can send the max-age or min-fresh cache directives in a 499 request to constrain or relax freshness calculations for the 500 corresponding response (Section 5.2.1). 502 When calculating freshness, to avoid common problems in date parsing: 504 o Although all date formats are specified to be case-sensitive, a 505 cache recipient SHOULD match day, week, and timezone names case- 506 insensitively. 508 o If a cache recipient's internal implementation of time has less 509 resolution than the value of an HTTP-date, the recipient MUST 510 internally represent a parsed Expires date as the nearest time 511 equal to or earlier than the received value. 513 o A cache recipient MUST NOT allow local time zones to influence the 514 calculation or comparison of an age or expiration time. 516 o A cache recipient SHOULD consider a date with a zone abbreviation 517 other than GMT or UTC to be invalid for calculating expiration. 519 Note that freshness applies only to cache operation; it cannot be 520 used to force a user agent to refresh its display or reload a 521 resource. See Section 6 for an explanation of the difference between 522 caches and history mechanisms. 524 4.2.1. Calculating Freshness Lifetime 526 A cache can calculate the freshness lifetime (denoted as 527 freshness_lifetime) of a response by using the first match of: 529 o If the cache is shared and the s-maxage response cache directive 530 (Section 5.2.2.9) is present, use its value, or 532 o If the max-age response cache directive (Section 5.2.2.8) is 533 present, use its value, or 535 o If the Expires response header field (Section 5.3) is present, use 536 its value minus the value of the Date response header field, or 538 o Otherwise, no explicit expiration time is present in the response. 539 A heuristic freshness lifetime might be applicable; see 540 Section 4.2.2. 542 Note that this calculation is not vulnerable to clock skew, since all 543 of the information comes from the origin server. 545 When there is more than one value present for a given directive 546 (e.g., two Expires header fields, multiple Cache-Control: max-age 547 directives), the directive's value is considered invalid. Caches are 548 encouraged to consider responses that have invalid freshness 549 information to be stale. 551 4.2.2. Calculating Heuristic Freshness 553 Since origin servers do not always provide explicit expiration times, 554 a cache MAY assign a heuristic expiration time when an explicit time 555 is not specified, employing algorithms that use other header field 556 values (such as the Last-Modified time) to estimate a plausible 557 expiration time. This specification does not provide specific 558 algorithms, but does impose worst-case constraints on their results. 560 A cache MUST NOT use heuristics to determine freshness when an 561 explicit expiration time is present in the stored response. Because 562 of the requirements in Section 3, this means that, effectively, 563 heuristics can only be used on responses without explicit freshness 564 whose status codes are defined as cacheable, and responses without 565 explicit freshness that have been marked as explicitly cacheable 566 (e.g., with a "public" response cache directive). 568 If the response has a Last-Modified header field (Section 2.2 of 569 [Part4]), caches are encouraged to use a heuristic expiration value 570 that is no more than some fraction of the interval since that time. 571 A typical setting of this fraction might be 10%. 573 When a heuristic is used to calculate freshness lifetime, a cache 574 SHOULD generate a Warning header field with a 113 warn-code (see 575 Section 5.5.4) in the response if its current_age is more than 24 576 hours and such a warning is not already present. 578 Note: Section 13.9 of [RFC2616] prohibited caches from calculating 579 heuristic freshness for URIs with query components (i.e., those 580 containing '?'). In practice, this has not been widely 581 implemented. Therefore, origin servers are encouraged to send 582 explicit directives (e.g., Cache-Control: no-cache) if they wish 583 to preclude caching. 585 4.2.3. Calculating Age 587 The Age header field is used to convey an estimated age of the 588 response message when obtained from a cache. The Age field value is 589 the cache's estimate of the number of seconds since the response was 590 generated or validated by the origin server. In essence, the Age 591 value is the sum of the time that the response has been resident in 592 each of the caches along the path from the origin server, plus the 593 amount of time it has been in transit along network paths. 595 The following data is used for the age calculation: 597 age_value 599 The term "age_value" denotes the value of the Age header field 600 (Section 5.1), in a form appropriate for arithmetic operation; or 601 0, if not available. 603 date_value 605 The term "date_value" denotes the value of the Date header field, 606 in a form appropriate for arithmetic operations. See Section 607 7.1.1.2 of [Part2] for the definition of the Date header field, 608 and for requirements regarding responses without it. 610 now 612 The term "now" means "the current value of the clock at the host 613 performing the calculation". A host ought to use NTP ([RFC1305]) 614 or some similar protocol to synchronize its clocks to Coordinated 615 Universal Time. 617 request_time 619 The current value of the clock at the host at the time the request 620 resulting in the stored response was made. 622 response_time 624 The current value of the clock at the host at the time the 625 response was received. 627 A response's age can be calculated in two entirely independent ways: 629 1. the "apparent_age": response_time minus date_value, if the local 630 clock is reasonably well synchronized to the origin server's 631 clock. If the result is negative, the result is replaced by 632 zero. 634 2. the "corrected_age_value", if all of the caches along the 635 response path implement HTTP/1.1. A cache MUST interpret this 636 value relative to the time the request was initiated, not the 637 time that the response was received. 639 apparent_age = max(0, response_time - date_value); 641 response_delay = response_time - request_time; 642 corrected_age_value = age_value + response_delay; 644 These are combined as 646 corrected_initial_age = max(apparent_age, corrected_age_value); 648 unless the cache is confident in the value of the Age header field 649 (e.g., because there are no HTTP/1.0 hops in the Via header field), 650 in which case the corrected_age_value MAY be used as the 651 corrected_initial_age. 653 The current_age of a stored response can then be calculated by adding 654 the amount of time (in seconds) since the stored response was last 655 validated by the origin server to the corrected_initial_age. 657 resident_time = now - response_time; 658 current_age = corrected_initial_age + resident_time; 660 4.2.4. Serving Stale Responses 662 A "stale" response is one that either has explicit expiry information 663 or is allowed to have heuristic expiry calculated, but is not fresh 664 according to the calculations in Section 4.2. 666 A cache MUST NOT generate a stale response if it is prohibited by an 667 explicit in-protocol directive (e.g., by a "no-store" or "no-cache" 668 cache directive, a "must-revalidate" cache-response-directive, or an 669 applicable "s-maxage" or "proxy-revalidate" cache-response-directive; 670 see Section 5.2.2). 672 A cache MUST NOT send stale responses unless it is disconnected 673 (i.e., it cannot contact the origin server or otherwise find a 674 forward path) or doing so is explicitly allowed (e.g., by the max- 675 stale request directive; see Section 5.2.1). 677 A cache SHOULD generate a Warning header field with the 110 warn-code 678 (see Section 5.5.1) in stale responses. Likewise, a cache SHOULD 679 generate a 112 warn-code (see Section 5.5.3) in stale responses if 680 the cache is disconnected. 682 A cache SHOULD NOT generate a new Warning header field when 683 forwarding a response that does not have an Age header field, even if 684 the response is already stale. A cache need not validate a response 685 that merely became stale in transit. 687 4.3. Validation 689 When a cache has one or more stored responses for a requested URI, 690 but cannot serve any of them (e.g., because they are not fresh, or 691 one cannot be selected; see Section 4.1), it can use the conditional 692 request mechanism [Part4] in the forwarded request to give the next 693 inbound server an opportunity to select a valid stored response to 694 use, updating the stored metadata in the process, or to replace the 695 stored response(s) with a new response. This process is known as 696 "validating" or "revalidating" the stored response. 698 4.3.1. Sending a Validation Request 700 When sending a conditional request for cache validation, a cache 701 sends one or more precondition header fields containing validator 702 metadata from its stored response(s), which is then compared by 703 recipients to determine whether a stored response is equivalent to a 704 current representation of the resource. 706 One such validator is the timestamp given in a Last-Modified header 707 field (Section 2.2 of [Part4]), which can be used in an If-Modified- 708 Since header field for response validation, or in an If-Unmodified- 709 Since or If-Range header field for representation selection (i.e., 710 the client is referring specifically to a previously obtained 711 representation with that timestamp). 713 Another validator is the entity-tag given in an ETag header field 714 (Section 2.3 of [Part4]). One or more entity-tags, indicating one or 715 more stored responses, can be used in an If-None-Match header field 716 for response validation, or in an If-Match or If-Range header field 717 for representation selection (i.e., the client is referring 718 specifically to one or more previously obtained representations with 719 the listed entity-tags). 721 4.3.2. Handling a Received Validation Request 723 Each client in the request chain may have its own cache, so it is 724 common for a cache at an intermediary to receive conditional requests 725 from other (outbound) caches. Likewise, some user agents make use of 726 conditional requests to limit data transfers to recently modified 727 representations or to complete the transfer of a partially retrieved 728 representation. 730 If a cache receives a request that can be satisfied by reusing one of 731 its stored 200 (OK) or 206 (Partial Content) responses, the cache 732 SHOULD evaluate any applicable conditional header field preconditions 733 received in that request with respect to the corresponding validators 734 contained within the selected response. A cache MUST NOT evaluate 735 conditional header fields that are only applicable to an origin 736 server, found in a request with semantics that cannot be satisfied 737 with a cached response, or applied to a target resource for which it 738 has no stored responses; such preconditions are likely intended for 739 some other (inbound) server. 741 The proper evaluation of conditional requests by a cache depends on 742 the received precondition header fields and their precedence, as 743 defined in Section 6 of [Part4]. The If-Match and If-Unmodified- 744 Since conditional header fields are not applicable to a cache. 746 A request containing an If-None-Match header field (Section 3.2 of 747 [Part4]) indicates that the client wants to validate one or more of 748 its own stored responses in comparison to whichever stored response 749 is selected by the cache. If the field-value is "*", or if the 750 field-value is a list of entity-tags and at least one of them match 751 the entity-tag of the selected stored response, a cache recipient 752 SHOULD generate a 304 (Not Modified) response (using the metadata of 753 the selected stored response) instead of sending that stored 754 response. 756 When a cache decides to revalidate its own stored responses for a 757 request that contains an If-None-Match list of entity-tags, the cache 758 MAY combine the received list with a list of entity-tags from its own 759 stored set of responses (fresh or stale) and send the union of the 760 two lists as a replacement If-None-Match header field value in the 761 forwarded request. If a stored response contains only partial 762 content, the cache MUST NOT include its entity-tag in the union 763 unless the request is for a range that would be fully satisfied by 764 that partial stored response. If the response to the forwarded 765 request is 304 (Not Modified) and has an ETag header field value with 766 an entity-tag that is not in the client's list, the cache MUST 767 generate a 200 (OK) response for the client by reusing its 768 corresponding stored response, as updated by the 304 response 769 metadata (Section 4.3.4). 771 If an If-None-Match header field is not present, a request containing 772 an If-Modified-Since header field (Section 3.3 of [Part4]) indicates 773 that the client wants to validate one or more of its own stored 774 responses by modification date. A cache recipient SHOULD generate a 775 304 (Not Modified) response (using the metadata of the selected 776 stored response) if one of the following cases is true: 1) the 777 selected stored response has a Last-Modified field-value that is 778 earlier than or equal to the conditional timestamp; 2) no Last- 779 Modified field is present in the selected stored response, but it has 780 a Date field-value that is earlier than or equal to the conditional 781 timestamp; or, 3) neither Last-Modified nor Date is present in the 782 selected stored response, but the cache recorded it as having been 783 received at a time earlier than or equal to the conditional 784 timestamp. 786 A cache that implements partial responses to range requests, as 787 defined in [Part5], also needs to evaluate a received If-Range header 788 field (Section 3.2 of [Part5]) with respect to its selected stored 789 response. 791 4.3.3. Handling a Validation Response 793 Cache handling of a response to a conditional request is dependent 794 upon its status code: 796 o A 304 (Not Modified) response status code indicates that the 797 stored response can be updated and reused; see Section 4.3.4. 799 o A full response (i.e., one with a payload body) indicates that 800 none of the stored responses nominated in the conditional request 801 is suitable. Instead, the cache MUST use the full response to 802 satisfy the request and MAY replace the stored response(s). 804 o However, if a cache receives a 5xx (Server Error) response while 805 attempting to validate a response, it can either forward this 806 response to the requesting client, or act as if the server failed 807 to respond. In the latter case, the cache MAY send a previously 808 stored response (see Section 4.2.4). 810 4.3.4. Freshening Stored Responses upon Validation 812 When a cache receives a 304 (Not Modified) response and already has 813 one or more stored 200 (OK) responses for the same cache key, the 814 cache needs to identify which of the stored responses are updated by 815 this new response and then update the stored response(s) with the new 816 information provided in the 304 response. 818 The stored response to update is identified by using the first match 819 (if any) of: 821 o If the new response contains a strong validator (see Section 2.1 822 of [Part4]), then that strong validator identifies the selected 823 representation for update. All of the stored responses with the 824 same strong validator are selected. If none of the stored 825 responses contain the same strong validator, then the cache MUST 826 NOT use the new response to update any stored responses. 828 o If the new response contains a weak validator and that validator 829 corresponds to one of the cache's stored responses, then the most 830 recent of those matching stored responses is selected for update. 832 o If the new response does not include any form of validator (such 833 as in the case where a client generates an If-Modified-Since 834 request from a source other than the Last-Modified response header 835 field), and there is only one stored response, and that stored 836 response also lacks a validator, then that stored response is 837 selected for update. 839 If a stored response is selected for update, the cache MUST: 841 o delete any Warning header fields in the stored response with warn- 842 code 1xx (see Section 5.5); 844 o retain any Warning header fields in the stored response with warn- 845 code 2xx; and, 847 o use other header fields provided in the 304 (Not Modified) 848 response to replace all instances of the corresponding header 849 fields in the stored response. 851 4.3.5. Freshening Responses via HEAD 853 A response to the HEAD method is identical to what an equivalent 854 request made with a GET would have been, except it lacks a body. 855 This property of HEAD responses can be used to invalidate or update a 856 cached GET response if the more efficient conditional GET request 857 mechanism is not available (due to no validators being present in the 858 stored response) or if transmission of the representation body is not 859 desired even if it has changed. 861 When a cache makes an inbound HEAD request for a given request target 862 and receives a 200 (OK) response, the cache SHOULD update or 863 invalidate each of its stored GET responses that could have been 864 selected for that request (see Section 4.1). 866 For each of the stored responses that could have been selected, if 867 the stored response and HEAD response have matching values for any 868 received validator fields (ETag and Last-Modified) and, if the HEAD 869 response has a Content-Length header field, the value of Content- 870 Length matches that of the stored response, the cache SHOULD update 871 the stored response a described below; otherwise, the cache SHOULD 872 consider the stored response to be stale. 874 If a cache updates a stored response with the metadata provided in a 875 HEAD response, the cache MUST: 877 o delete any Warning header fields in the stored response with warn- 878 code 1xx (see Section 5.5); 880 o retain any Warning header fields in the stored response with warn- 881 code 2xx; and, 883 o use other header fields provided in the HEAD response to replace 884 all instances of the corresponding header fields in the stored 885 response and append new header fields to the stored response's 886 header section unless otherwise restricted by the Cache-Control 887 header field. 889 4.4. Invalidation 891 Because unsafe request methods (Section 4.2.1 of [Part2]) such as 892 PUT, POST or DELETE have the potential for changing state on the 893 origin server, intervening caches can use them to keep their contents 894 up-to-date. 896 A cache MUST invalidate the effective Request URI (Section 5.5 of 897 [Part1]) as well as the URI(s) in the Location and Content-Location 898 response header fields (if present) when a non-error status code is 899 received in response to an unsafe request method. 901 However, a cache MUST NOT invalidate a URI from a Location or 902 Content-Location response header field if the host part of that URI 903 differs from the host part in the effective request URI (Section 5.5 904 of [Part1]). This helps prevent denial of service attacks. 906 A cache MUST invalidate the effective request URI (Section 5.5 of 907 [Part1]) when it receives a non-error response to a request with a 908 method whose safety is unknown. 910 Here, a "non-error response" is one with a 2xx (Successful) or 3xx 911 (Redirection) status code. "Invalidate" means that the cache will 912 either remove all stored responses related to the effective request 913 URI, or will mark these as "invalid" and in need of a mandatory 914 validation before they can be sent in response to a subsequent 915 request. 917 Note that this does not guarantee that all appropriate responses are 918 invalidated. For example, a state-changing request might invalidate 919 responses in the caches it travels through, but relevant responses 920 still might be stored in other caches that it has not. 922 5. Header Field Definitions 924 This section defines the syntax and semantics of HTTP/1.1 header 925 fields related to caching. 927 5.1. Age 929 The "Age" header field conveys the sender's estimate of the amount of 930 time since the response was generated or successfully validated at 931 the origin server. Age values are calculated as specified in 932 Section 4.2.3. 934 Age = delta-seconds 936 The Age field-value is a non-negative integer, representing time in 937 seconds (see Section 1.2.1). 939 The presence of an Age header field implies that the response was not 940 generated or validated by the origin server for this request. 941 However, lack of an Age header field does not imply the origin was 942 contacted, since the response might have been received from an 943 HTTP/1.0 cache that does not implement Age. 945 5.2. Cache-Control 947 The "Cache-Control" header field is used to specify directives for 948 caches along the request/response chain. Such cache directives are 949 unidirectional in that the presence of a directive in a request does 950 not imply that the same directive is to be given in the response. 952 A cache MUST obey the requirements of the Cache-Control directives 953 defined in this section. See Section 5.2.3 for information about how 954 Cache-Control directives defined elsewhere are handled. 956 Note: Some HTTP/1.0 caches might not implement Cache-Control. 958 A proxy, whether or not it implements a cache, MUST pass cache 959 directives through in forwarded messages, regardless of their 960 significance to that application, since the directives might be 961 applicable to all recipients along the request/response chain. It is 962 not possible to target a directive to a specific cache. 964 Cache directives are identified by a token, to be compared case- 965 insensitively, and have an optional argument, that can use both token 966 and quoted-string syntax. For the directives defined below that 967 define arguments, recipients ought to accept both forms, even if one 968 is documented to be preferred. For any directive not defined by this 969 specification, a recipient MUST accept both forms. 971 Cache-Control = 1#cache-directive 973 cache-directive = token [ "=" ( token / quoted-string ) ] 975 For the cache directives defined below, no argument is defined (nor 976 allowed) unless stated otherwise. 978 5.2.1. Request Cache-Control Directives 980 5.2.1.1. max-age 982 Argument syntax: 984 delta-seconds (see Section 1.2.1) 986 The "max-age" request directive indicates that the client is 987 unwilling to accept a response whose age is greater than the 988 specified number of seconds. Unless the max-stale request directive 989 is also present, the client is not willing to accept a stale 990 response. 992 Note: This directive uses the token form of the argument syntax; 993 e.g., 'max-age=5', not 'max-age="5"'. A sender SHOULD NOT generate 994 the quoted-string form. 996 5.2.1.2. max-stale 998 Argument syntax: 1000 delta-seconds (see Section 1.2.1) 1002 The "max-stale" request directive indicates that the client is 1003 willing to accept a response that has exceeded its freshness 1004 lifetime. If max-stale is assigned a value, then the client is 1005 willing to accept a response that has exceeded its freshness lifetime 1006 by no more than the specified number of seconds. If no value is 1007 assigned to max-stale, then the client is willing to accept a stale 1008 response of any age. 1010 Note: This directive uses the token form of the argument syntax; 1011 e.g., 'max-stale=10', not 'max-stale="10"'. A sender SHOULD NOT 1012 generate the quoted-string form. 1014 5.2.1.3. min-fresh 1016 Argument syntax: 1018 delta-seconds (see Section 1.2.1) 1020 The "min-fresh" request directive indicates that the client is 1021 willing to accept a response whose freshness lifetime is no less than 1022 its current age plus the specified time in seconds. That is, the 1023 client wants a response that will still be fresh for at least the 1024 specified number of seconds. 1026 Note: This directive uses the token form of the argument syntax; 1027 e.g., 'min-fresh=20', not 'min-fresh="20"'. A sender SHOULD NOT 1028 generate the quoted-string form. 1030 5.2.1.4. no-cache 1032 The "no-cache" request directive indicates that a cache MUST NOT use 1033 a stored response to satisfy the request without successful 1034 validation on the origin server. 1036 5.2.1.5. no-store 1038 The "no-store" request directive indicates that a cache MUST NOT 1039 store any part of either this request or any response to it. This 1040 directive applies to both private and shared caches. "MUST NOT 1041 store" in this context means that the cache MUST NOT intentionally 1042 store the information in non-volatile storage, and MUST make a best- 1043 effort attempt to remove the information from volatile storage as 1044 promptly as possible after forwarding it. 1046 This directive is NOT a reliable or sufficient mechanism for ensuring 1047 privacy. In particular, malicious or compromised caches might not 1048 recognize or obey this directive, and communications networks might 1049 be vulnerable to eavesdropping. 1051 Note that if a request containing this directive is satisfied from a 1052 cache, the no-store request directive does not apply to the already 1053 stored response. 1055 5.2.1.6. no-transform 1057 The "no-transform" request directive indicates that an intermediary 1058 (whether or not it implements a cache) MUST NOT transform the 1059 payload, as defined in Section 5.7.2 of [Part1]. 1061 5.2.1.7. only-if-cached 1063 The "only-if-cached" request directive indicates that the client only 1064 wishes to obtain a stored response. If it receives this directive, a 1065 cache SHOULD either respond using a stored response that is 1066 consistent with the other constraints of the request, or respond with 1067 a 504 (Gateway Timeout) status code. If a group of caches is being 1068 operated as a unified system with good internal connectivity, a 1069 member cache MAY forward such a request within that group of caches. 1071 5.2.2. Response Cache-Control Directives 1073 5.2.2.1. must-revalidate 1075 The "must-revalidate" response directive indicates that once it has 1076 become stale, a cache MUST NOT use the response to satisfy subsequent 1077 requests without successful validation on the origin server. 1079 The must-revalidate directive is necessary to support reliable 1080 operation for certain protocol features. In all circumstances a 1081 cache MUST obey the must-revalidate directive; in particular, if a 1082 cache cannot reach the origin server for any reason, it MUST generate 1083 a 504 (Gateway Timeout) response. 1085 The must-revalidate directive ought to be used by servers if and only 1086 if failure to validate a request on the representation could result 1087 in incorrect operation, such as a silently unexecuted financial 1088 transaction. 1090 5.2.2.2. no-cache 1092 Argument syntax: 1094 #field-name 1096 The "no-cache" response directive indicates that the response MUST 1097 NOT be used to satisfy a subsequent request without successful 1098 validation on the origin server. This allows an origin server to 1099 prevent a cache from using it to satisfy a request without contacting 1100 it, even by caches that have been configured to send stale responses. 1102 If the no-cache response directive specifies one or more field-names, 1103 then a cache MAY use the response to satisfy a subsequent request, 1104 subject to any other restrictions on caching. However, any header 1105 fields in the response that have the field-name(s) listed MUST NOT be 1106 sent in the response to a subsequent request without successful 1107 revalidation with the origin server. This allows an origin server to 1108 prevent the re-use of certain header fields in a response, while 1109 still allowing caching of the rest of the response. 1111 The field-names given are not limited to the set of header fields 1112 defined by this specification. Field names are case-insensitive. 1114 Note: Although it has been back-ported to many implementations, some 1115 HTTP/1.0 caches will not recognize or obey this directive. Also, no- 1116 cache response directives with field-names are often handled by 1117 caches as if an unqualified no-cache directive was received; i.e., 1118 the special handling for the qualified form is not widely 1119 implemented. 1121 Note: This directive uses the quoted-string form of the argument 1122 syntax. A sender SHOULD NOT generate the token form (even if quoting 1123 appears not to be needed for single-entry lists). 1125 5.2.2.3. no-store 1127 The "no-store" response directive indicates that a cache MUST NOT 1128 store any part of either the immediate request or response. This 1129 directive applies to both private and shared caches. "MUST NOT 1130 store" in this context means that the cache MUST NOT intentionally 1131 store the information in non-volatile storage, and MUST make a best- 1132 effort attempt to remove the information from volatile storage as 1133 promptly as possible after forwarding it. 1135 This directive is NOT a reliable or sufficient mechanism for ensuring 1136 privacy. In particular, malicious or compromised caches might not 1137 recognize or obey this directive, and communications networks might 1138 be vulnerable to eavesdropping. 1140 5.2.2.4. no-transform 1142 The "no-transform" response directive indicates that an intermediary 1143 (regardless of whether it implements a cache) MUST NOT transform the 1144 payload, as defined in Section 5.7.2 of [Part1]. 1146 5.2.2.5. public 1148 The "public" response directive indicates that any cache MAY store 1149 the response, even if the response would normally be non-cacheable or 1150 cacheable only within a private cache. (See Section 3.2 for 1151 additional details related to the use of public in response to a 1152 request containing Authorization, and Section 3 for details of how 1153 public affects responses that would normally not be stored, due to 1154 their status codes not being defined as cacheable.) 1156 5.2.2.6. private 1158 Argument syntax: 1160 #field-name 1162 The "private" response directive indicates that the response message 1163 is intended for a single user and MUST NOT be stored by a shared 1164 cache. A private cache MAY store the response and reuse it for later 1165 requests, even if the response would normally be non-cacheable. 1167 If the private response directive specifies one or more field-names, 1168 this requirement is limited to the field-values associated with the 1169 listed response header fields. That is, a shared cache MUST NOT 1170 store the specified field-names(s), whereas it MAY store the 1171 remainder of the response message. 1173 The field-names given are not limited to the set of header fields 1174 defined by this specification. Field names are case-insensitive. 1176 Note: This usage of the word "private" only controls where the 1177 response can be stored; it cannot ensure the privacy of the message 1178 content. Also, private response directives with field-names are 1179 often handled by caches as if an unqualified private directive was 1180 received; i.e., the special handling for the qualified form is not 1181 widely implemented. 1183 Note: This directive uses the quoted-string form of the argument 1184 syntax. A sender SHOULD NOT generate the token form (even if quoting 1185 appears not to be needed for single-entry lists). 1187 5.2.2.7. proxy-revalidate 1189 The "proxy-revalidate" response directive has the same meaning as the 1190 must-revalidate response directive, except that it does not apply to 1191 private caches. 1193 5.2.2.8. max-age 1195 Argument syntax: 1197 delta-seconds (see Section 1.2.1) 1199 The "max-age" response directive indicates that the response is to be 1200 considered stale after its age is greater than the specified number 1201 of seconds. 1203 Note: This directive uses the token form of the argument syntax; 1204 e.g., 'max-age=5', not 'max-age="5"'. A sender SHOULD NOT generate 1205 the quoted-string form. 1207 5.2.2.9. s-maxage 1209 Argument syntax: 1211 delta-seconds (see Section 1.2.1) 1213 The "s-maxage" response directive indicates that, in shared caches, 1214 the maximum age specified by this directive overrides the maximum age 1215 specified by either the max-age directive or the Expires header 1216 field. The s-maxage directive also implies the semantics of the 1217 proxy-revalidate response directive. 1219 Note: This directive uses the token form of the argument syntax; 1220 e.g., 's-maxage=10', not 's-maxage="10"'. A sender SHOULD NOT 1221 generate the quoted-string form. 1223 5.2.3. Cache Control Extensions 1225 The Cache-Control header field can be extended through the use of one 1226 or more cache-extension tokens, each with an optional value. 1228 Informational extensions (those that do not require a change in cache 1229 behavior) can be added without changing the semantics of other 1230 directives. Behavioral extensions are designed to work by acting as 1231 modifiers to the existing base of cache directives. 1233 Both the new directive and the standard directive are supplied, such 1234 that applications that do not understand the new directive will 1235 default to the behavior specified by the standard directive, and 1236 those that understand the new directive will recognize it as 1237 modifying the requirements associated with the standard directive. 1238 In this way, extensions to the cache-control directives can be made 1239 without requiring changes to the base protocol. 1241 This extension mechanism depends on an HTTP cache obeying all of the 1242 cache-control directives defined for its native HTTP-version, obeying 1243 certain extensions, and ignoring all directives that it does not 1244 understand. 1246 For example, consider a hypothetical new response directive called 1247 "community" that acts as a modifier to the private directive. We 1248 define this new directive to mean that, in addition to any private 1249 cache, any cache that is shared only by members of the community 1250 named within its value is allowed to cache the response. An origin 1251 server wishing to allow the UCI community to use an otherwise private 1252 response in their shared cache(s) could do so by including 1254 Cache-Control: private, community="UCI" 1256 A cache seeing this header field will act correctly even if the cache 1257 does not understand the community cache-extension, since it will also 1258 see and understand the private directive and thus default to the safe 1259 behavior. 1261 A cache MUST ignore unrecognized cache directives; it is assumed that 1262 any cache directive likely to be unrecognized by an HTTP/1.1 cache 1263 will be combined with standard directives (or the response's default 1264 cacheability) such that the cache behavior will remain minimally 1265 correct even if the cache does not understand the extension(s). 1267 5.3. Expires 1269 The "Expires" header field gives the date/time after which the 1270 response is considered stale. See Section 4.2 for further discussion 1271 of the freshness model. 1273 The presence of an Expires field does not imply that the original 1274 resource will change or cease to exist at, before, or after that 1275 time. 1277 The Expires value is an HTTP-date timestamp, as defined in Section 1278 7.1.1.1 of [Part2]. 1280 Expires = HTTP-date 1282 For example 1284 Expires: Thu, 01 Dec 1994 16:00:00 GMT 1286 A cache recipient MUST interpret invalid date formats, especially the 1287 value "0", as representing a time in the past (i.e., "already 1288 expired"). 1290 If a response includes a Cache-Control field with the max-age 1291 directive (Section 5.2.2.8), a recipient MUST ignore the Expires 1292 field. Likewise, if a response includes the s-maxage directive 1293 (Section 5.2.2.9), a shared cache recipient MUST ignore the Expires 1294 field. In both these cases, the value in Expires is only intended 1295 for recipients that have not yet implemented the Cache-Control field. 1297 An origin server without a clock MUST NOT generate an Expires field 1298 unless its value represents a fixed time in the past (always expired) 1299 or its value has been associated with the resource by a system or 1300 user with a reliable clock. 1302 Historically, HTTP required the Expires field-value to be no more 1303 than a year in the future. While longer freshness lifetimes are no 1304 longer prohibited, extremely large values have been demonstrated to 1305 cause problems (e.g., clock overflows due to use of 32-bit integers 1306 for time values), and many caches will evict a response far sooner 1307 than that. 1309 5.4. Pragma 1311 The "Pragma" header field allows backwards compatibility with 1312 HTTP/1.0 caches, so that clients can specify a "no-cache" request 1313 that they will understand (as Cache-Control was not defined until 1314 HTTP/1.1). When the Cache-Control header field is also present and 1315 understood in a request, Pragma is ignored. 1317 In HTTP/1.0, Pragma was defined as an extensible field for 1318 implementation-specified directives for recipients. This 1319 specification deprecates such extensions to improve interoperability. 1321 Pragma = 1#pragma-directive 1322 pragma-directive = "no-cache" / extension-pragma 1323 extension-pragma = token [ "=" ( token / quoted-string ) ] 1325 When the Cache-Control header field is not present in a request, 1326 caches MUST consider the no-cache request pragma-directive as having 1327 the same effect as if "Cache-Control: no-cache" were present (see 1328 Section 5.2.1). 1330 When sending a no-cache request, a client ought to include both the 1331 pragma and cache-control directives, unless Cache-Control: no-cache 1332 is purposefully omitted to target other Cache-Control response 1333 directives at HTTP/1.1 caches. For example: 1335 GET / HTTP/1.1 1336 Host: www.example.com 1337 Cache-Control: max-age=30 1338 Pragma: no-cache 1340 will constrain HTTP/1.1 caches to serve a response no older than 30 1341 seconds, while precluding implementations that do not understand 1342 Cache-Control from serving a cached response. 1344 Note: Because the meaning of "Pragma: no-cache" in responses is 1345 not specified, it does not provide a reliable replacement for 1346 "Cache-Control: no-cache" in them. 1348 5.5. Warning 1350 The "Warning" header field is used to carry additional information 1351 about the status or transformation of a message that might not be 1352 reflected in the status code. This information is typically used to 1353 warn about possible incorrectness introduced by caching operations or 1354 transformations applied to the payload of the message. 1356 Warnings can be used for other purposes, both cache-related and 1357 otherwise. The use of a warning, rather than an error status code, 1358 distinguishes these responses from true failures. 1360 Warning header fields can in general be applied to any message, 1361 however some warn-codes are specific to caches and can only be 1362 applied to response messages. 1364 Warning = 1#warning-value 1366 warning-value = warn-code SP warn-agent SP warn-text 1367 [ SP warn-date ] 1369 warn-code = 3DIGIT 1370 warn-agent = ( uri-host [ ":" port ] ) / pseudonym 1371 ; the name or pseudonym of the server adding 1372 ; the Warning header field, for use in debugging 1373 ; a single "-" is recommended when agent unknown 1374 warn-text = quoted-string 1375 warn-date = DQUOTE HTTP-date DQUOTE 1377 Multiple warnings can be generated in a response (either by the 1378 origin server or by a cache), including multiple warnings with the 1379 same warn-code number that only differ in warn-text. 1381 A user agent that receives one or more Warning header fields SHOULD 1382 inform the user of as many of them as possible, in the order that 1383 they appear in the response. Senders that generate multiple Warning 1384 header fields are encouraged to order them with this user agent 1385 behavior in mind. A sender that generates new Warning header fields 1386 MUST append them after any existing Warning header fields. 1388 Warnings are assigned three digit warn-codes. The first digit 1389 indicates whether the Warning is required to be deleted from a stored 1390 response after validation: 1392 o 1xx warn-codes describe the freshness or validation status of the 1393 response, and so MUST be deleted by a cache after validation. 1394 They can only be generated by a cache when validating a cached 1395 entry, and MUST NOT be generated in any other situation. 1397 o 2xx warn-codes describe some aspect of the representation that is 1398 not rectified by a validation (for example, a lossy compression of 1399 the representation) and MUST NOT be deleted by a cache after 1400 validation, unless a full response is sent, in which case they 1401 MUST be. 1403 If a sender generates one or more 1xx warn-codes in a message to be 1404 sent to a recipient known to implement only HTTP/1.0, the sender MUST 1405 include in each corresponding warning-value a warn-date that matches 1406 the Date header field in the message. For example: 1408 HTTP/1.1 200 OK 1409 Date: Sat, 25 Aug 2012 23:34:45 GMT 1410 Warning: 112 - "network down" "Sat, 25 Aug 2012 23:34:45 GMT" 1412 If a recipient that uses, evaluates, or displays Warning header 1413 fields receives a warn-date that is different from the Date value in 1414 the same message, the recipient MUST exclude the warning-value 1415 containing that warn-date before storing, forwarding, or using the 1416 message. This allows recipients to exclude warning-values that were 1417 improperly retained after a cache validation. If all of the warning- 1418 values are excluded, the recipient MUST exclude the Warning header 1419 field as well. 1421 The following warn-codes are defined by this specification, each with 1422 a recommended warn-text in English, and a description of its meaning. 1423 The procedure for defining additional warn codes is described in 1424 Section 7.2.1. 1426 5.5.1. Warning: 110 - "Response is Stale" 1428 A cache SHOULD generate this whenever the sent response is stale. 1430 5.5.2. Warning: 111 - "Revalidation Failed" 1432 A cache SHOULD generate this when sending a stale response because an 1433 attempt to validate the response failed, due to an inability to reach 1434 the server. 1436 5.5.3. Warning: 112 - "Disconnected Operation" 1438 A cache SHOULD generate this if it is intentionally disconnected from 1439 the rest of the network for a period of time. 1441 5.5.4. Warning: 113 - "Heuristic Expiration" 1443 A cache SHOULD generate this if it heuristically chose a freshness 1444 lifetime greater than 24 hours and the response's age is greater than 1445 24 hours. 1447 5.5.5. Warning: 199 - "Miscellaneous Warning" 1449 The warning text can include arbitrary information to be presented to 1450 a human user, or logged. A system receiving this warning MUST NOT 1451 take any automated action, besides presenting the warning to the 1452 user. 1454 5.5.6. Warning: 214 - "Transformation Applied" 1456 MUST be added by a proxy if it applies any transformation to the 1457 representation, such as changing the content-coding, media-type, or 1458 modifying the representation data, unless this Warning code already 1459 appears in the response. 1461 5.5.7. Warning: 299 - "Miscellaneous Persistent Warning" 1463 The warning text can include arbitrary information to be presented to 1464 a human user, or logged. A system receiving this warning MUST NOT 1465 take any automated action. 1467 6. History Lists 1469 User agents often have history mechanisms, such as "Back" buttons and 1470 history lists, that can be used to redisplay a representation 1471 retrieved earlier in a session. 1473 The freshness model (Section 4.2) does not necessarily apply to 1474 history mechanisms. I.e., a history mechanism can display a previous 1475 representation even if it has expired. 1477 This does not prohibit the history mechanism from telling the user 1478 that a view might be stale, or from honoring cache directives (e.g., 1479 Cache-Control: no-store). 1481 7. IANA Considerations 1483 7.1. Cache Directive Registry 1485 The HTTP Cache Directive Registry defines the name space for the 1486 cache directives. It will be created and maintained at 1487 . 1489 7.1.1. Procedure 1491 A registration MUST include the following fields: 1493 o Cache Directive Name 1495 o Pointer to specification text 1497 Values to be added to this name space require IETF Review (see 1498 [RFC5226], Section 4.1). 1500 7.1.2. Considerations for New Cache Control Directives 1502 New extension directives ought to consider defining: 1504 o What it means for a directive to be specified multiple times, 1506 o When the directive does not take an argument, what it means when 1507 an argument is present, 1509 o When the directive requires an argument, what it means when it is 1510 missing, 1512 o Whether the directive is specific to requests, responses, or able 1513 to be used in either. 1515 See also Section 5.2.3. 1517 7.1.3. Registrations 1519 The HTTP Cache Directive Registry shall be populated with the 1520 registrations below: 1522 +------------------------+----------------------------------+ 1523 | Cache Directive | Reference | 1524 +------------------------+----------------------------------+ 1525 | max-age | Section 5.2.1.1, Section 5.2.2.8 | 1526 | max-stale | Section 5.2.1.2 | 1527 | min-fresh | Section 5.2.1.3 | 1528 | must-revalidate | Section 5.2.2.1 | 1529 | no-cache | Section 5.2.1.4, Section 5.2.2.2 | 1530 | no-store | Section 5.2.1.5, Section 5.2.2.3 | 1531 | no-transform | Section 5.2.1.6, Section 5.2.2.4 | 1532 | only-if-cached | Section 5.2.1.7 | 1533 | private | Section 5.2.2.6 | 1534 | proxy-revalidate | Section 5.2.2.7 | 1535 | public | Section 5.2.2.5 | 1536 | s-maxage | Section 5.2.2.9 | 1537 | stale-if-error | [RFC5861], Section 4 | 1538 | stale-while-revalidate | [RFC5861], Section 3 | 1539 +------------------------+----------------------------------+ 1541 7.2. Warn Code Registry 1543 The HTTP Warn Code Registry defines the name space for warn codes. 1544 It will be created and maintained at 1545 . 1547 7.2.1. Procedure 1549 A registration MUST include the following fields: 1551 o Warn Code (3 digits) 1553 o Short Description 1555 o Pointer to specification text 1557 Values to be added to this name space require IETF Review (see 1558 [RFC5226], Section 4.1). 1560 7.2.2. Registrations 1562 The HTTP Warn Code Registry shall be populated with the registrations 1563 below: 1565 +-----------+----------------------------------+---------------+ 1566 | Warn Code | Short Description | Reference | 1567 +-----------+----------------------------------+---------------+ 1568 | 110 | Response is Stale | Section 5.5.1 | 1569 | 111 | Revalidation Failed | Section 5.5.2 | 1570 | 112 | Disconnected Operation | Section 5.5.3 | 1571 | 113 | Heuristic Expiration | Section 5.5.4 | 1572 | 199 | Miscellaneous Warning | Section 5.5.5 | 1573 | 214 | Transformation Applied | Section 5.5.6 | 1574 | 299 | Miscellaneous Persistent Warning | Section 5.5.7 | 1575 +-----------+----------------------------------+---------------+ 1577 7.3. Header Field Registration 1579 HTTP header fields are registered within the Message Header Field 1580 Registry maintained at . 1583 This document defines the following HTTP header fields, so their 1584 associated registry entries shall be updated according to the 1585 permanent registrations below (see [BCP90]): 1587 +-------------------+----------+----------+-------------+ 1588 | Header Field Name | Protocol | Status | Reference | 1589 +-------------------+----------+----------+-------------+ 1590 | Age | http | standard | Section 5.1 | 1591 | Cache-Control | http | standard | Section 5.2 | 1592 | Expires | http | standard | Section 5.3 | 1593 | Pragma | http | standard | Section 5.4 | 1594 | Warning | http | standard | Section 5.5 | 1595 +-------------------+----------+----------+-------------+ 1597 The change controller is: "IETF (iesg@ietf.org) - Internet 1598 Engineering Task Force". 1600 8. Security Considerations 1602 This section is meant to inform developers, information providers, 1603 and users of known security concerns specific to HTTP/1.1 caching. 1604 More general security considerations are addressed in HTTP messaging 1605 [Part1] and semantics [Part2]. 1607 Caches expose additional potential vulnerabilities, since the 1608 contents of the cache represent an attractive target for malicious 1609 exploitation. Because cache contents persist after an HTTP request 1610 is complete, an attack on the cache can reveal information long after 1611 a user believes that the information has been removed from the 1612 network. Therefore, cache contents need to be protected as sensitive 1613 information. 1615 Furthermore, the very use of a cache can bring about privacy 1616 concerns. For example, if two users share a cache, and the first one 1617 browses to a site, the second may be able to detect that the other 1618 has been to that site, because the resources from it load more 1619 quickly, thanks to the cache. 1621 Implementation flaws might allow attackers to insert content into a 1622 cache ("cache poisoning"), leading to compromise of clients that 1623 trust that content. Because of their nature, these attacks are 1624 difficult to mitigate. 1626 Likewise, implementation flaws (as well as misunderstanding of cache 1627 operation) might lead to caching of sensitive information (e.g., 1628 authentication credentials) that is thought to be private, exposing 1629 it to unauthorized parties. 1631 Note that the Set-Cookie response header field [RFC6265] does not 1632 inhibit caching; a cacheable response with a Set-Cookie header field 1633 can be (and often is) used to satisfy subsequent requests to caches. 1634 Servers who wish to control caching of these responses are encouraged 1635 to emit appropriate Cache-Control response header fields. 1637 9. Acknowledgments 1639 See Section 10 of [Part1]. 1641 10. References 1643 10.1. Normative References 1645 [Part1] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 1646 Protocol (HTTP/1.1): Message Syntax and Routing", 1647 draft-ietf-httpbis-p1-messaging-24 (work in progress), 1648 September 2013. 1650 [Part2] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 1651 Protocol (HTTP/1.1): Semantics and Content", 1652 draft-ietf-httpbis-p2-semantics-24 (work in progress), 1653 September 2013. 1655 [Part4] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 1656 Protocol (HTTP/1.1): Conditional Requests", 1657 draft-ietf-httpbis-p4-conditional-24 (work in progress), 1658 September 2013. 1660 [Part5] Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed., 1661 "Hypertext Transfer Protocol (HTTP/1.1): Range Requests", 1662 draft-ietf-httpbis-p5-range-24 (work in progress), 1663 September 2013. 1665 [Part7] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 1666 Protocol (HTTP/1.1): Authentication", 1667 draft-ietf-httpbis-p7-auth-24 (work in progress), 1668 September 2013. 1670 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1671 Requirement Levels", BCP 14, RFC 2119, March 1997. 1673 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 1674 Specifications: ABNF", STD 68, RFC 5234, January 2008. 1676 10.2. Informative References 1678 [BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration 1679 Procedures for Message Header Fields", BCP 90, RFC 3864, 1680 September 2004. 1682 [RFC1305] Mills, D., "Network Time Protocol (Version 3) 1683 Specification, Implementation", RFC 1305, March 1992. 1685 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 1686 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 1687 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 1689 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1690 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1691 May 2008. 1693 [RFC5861] Nottingham, M., "HTTP Cache-Control Extensions for Stale 1694 Content", RFC 5861, April 2010. 1696 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 1697 April 2011. 1699 Appendix A. Changes from RFC 2616 1701 The specification has been substantially rewritten for clarity. 1703 The conditions under which an authenticated response can be cached 1704 have been clarified. (Section 3.2) 1706 New status codes can now define that caches are allowed to use 1707 heuristic freshness with them. Caches are now allowed to calculate 1708 heuristic freshness for URIs with query components. (Section 4.2.2) 1709 The algorithm for calculating age is now less conservative. Caches 1710 are now required to handle dates with timezones as if they're 1711 invalid, because it's not possible to accurately guess. 1712 (Section 4.2.3) 1714 The Content-Location response header field is no longer used to 1715 determine the appropriate response to use when validating. 1716 (Section 4.3) 1718 The algorithm for selecting a cached negotiated response to use has 1719 been clarified in several ways. In particular, it now explicitly 1720 allows header-specific canonicalization when processing selecting 1721 header fields. (Section 4.1) 1723 Requirements regarding denial of service attack avoidance when 1724 performing invalidation have been clarified. (Section 4.4) 1726 Cache invalidation only occurs when a successful response is 1727 received. (Section 4.4) 1729 Cache directives are explicitly defined to be case-insensitive. 1730 Handling of multiple instances of cache directives when only one is 1731 expected is now defined. (Section 5.2) 1733 The "no-store" cache request directive doesn't apply to responses; 1734 i.e., a cache can satisfy a request with no-store on it, and does not 1735 invalidate it. (Section 5.2.1.5) 1737 The qualified forms of the private and no-cache cache directives are 1738 noted to not be widely implemented; e.g., "private=foo" is 1739 interpreted by many caches as simply "private". Additionally, the 1740 meaning of the qualified form of no-cache has been clarified. 1741 (Section 5.2.2) 1743 The "no-cache" response cache directive's meaning has been clarified. 1744 (Section 5.2.2.2) 1746 The one-year limit on Expires header field values has been removed; 1747 instead, the reasoning for using a sensible value is given. 1748 (Section 5.3) 1750 The Pragma header field is now only defined for backwards 1751 compatibility; future pragmas are deprecated. (Section 5.4) 1753 Some requirements regarding production and processing of the Warning 1754 header fields have been relaxed, as it is not widely implemented. 1755 Furthermore, the Warning header field no longer uses RFC 2047 1756 encoding, nor allows multiple languages, as these aspects were not 1757 implemented. (Section 5.5) 1759 This specification introduces the Cache Directive and Warn Code 1760 Registries, and defines considerations for new cache directives. 1761 (Section 7.1 and Section 7.2) 1763 Appendix B. Imported ABNF 1765 The following core rules are included by reference, as defined in 1766 Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return), 1767 CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double 1768 quote), HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET (any 1769 8-bit sequence of data), SP (space), and VCHAR (any visible US-ASCII 1770 character). 1772 The rules below are defined in [Part1]: 1774 OWS = 1775 field-name = 1776 quoted-string = 1777 token = 1779 port = 1780 pseudonym = 1781 uri-host = 1783 The rules below are defined in other parts: 1785 HTTP-date = 1787 Appendix C. Collected ABNF 1789 In the collected ABNF below, list rules are expanded as per Section 1790 1.2 of [Part1]. 1792 Age = delta-seconds 1794 Cache-Control = *( "," OWS ) cache-directive *( OWS "," [ OWS 1795 cache-directive ] ) 1797 Expires = HTTP-date 1799 HTTP-date = 1801 OWS = 1803 Pragma = *( "," OWS ) pragma-directive *( OWS "," [ OWS 1804 pragma-directive ] ) 1806 Warning = *( "," OWS ) warning-value *( OWS "," [ OWS warning-value ] 1807 ) 1809 cache-directive = token [ "=" ( token / quoted-string ) ] 1811 delta-seconds = 1*DIGIT 1813 extension-pragma = token [ "=" ( token / quoted-string ) ] 1815 field-name = 1817 port = 1818 pragma-directive = "no-cache" / extension-pragma 1819 pseudonym = 1821 quoted-string = 1823 token = 1825 uri-host = 1827 warn-agent = ( uri-host [ ":" port ] ) / pseudonym 1828 warn-code = 3DIGIT 1829 warn-date = DQUOTE HTTP-date DQUOTE 1830 warn-text = quoted-string 1831 warning-value = warn-code SP warn-agent SP warn-text [ SP warn-date 1832 ] 1834 Appendix D. Change Log (to be removed by RFC Editor before publication) 1836 Changes up to the first Working Group Last Call draft are summarized 1837 in . 1840 D.1. Since draft-ietf-httpbis-p6-cache-19 1842 Closed issues: 1844 o : "untangle 1845 Cache-Control ABNF" 1847 o : "Multiple 1848 values in Cache-Control header fields" 1850 o : "Case 1851 sensitivity of header fields in CC values" 1853 o : "Spurious 1854 'MAYs'" 1856 o : "enhance 1857 considerations for new cache control directives" 1859 o : "ABNF 1860 requirements for recipients" 1862 o : "note 1863 introduction of new IANA registries as normative changes" 1865 o : "broken prose 1866 in description of 'Vary'" 1868 D.2. Since draft-ietf-httpbis-p6-cache-20 1870 Closed issues: 1872 o : "'Most 1873 Conservative'" 1875 Other changes: 1877 o Conformance criteria and considerations regarding error handling 1878 are now defined in Part 1. 1880 o Move definition of "Vary" header field into Part 2. 1882 o Add security considerations with respect to cache poisoning and 1883 the "Set-Cookie" header field. 1885 D.3. Since draft-ietf-httpbis-p6-cache-21 1887 Closed issues: 1889 o : "Allowing 1890 heuristic caching for new status codes" 1892 o : "304 without 1893 validator" 1895 o : "No-Transform" 1897 o : "Revert prior 1898 change to the meaning of the public cache response directive. 1900 D.4. Since draft-ietf-httpbis-p6-cache-22 1902 Closed issues: 1904 o : "explain list 1905 expansion in ABNF appendices" 1907 o : "Returning the 1908 freshest response" 1910 o : "placement of 1911 extension point considerations" 1913 o : "Editorial 1914 notes for p6" 1916 o : "Vary and 1917 future requests" 1919 D.5. Since draft-ietf-httpbis-p6-cache-23 1921 Closed issues: 1923 o : "Requiring 1924 proxies to process warn-date" 1926 o : "add Warning 1927 header field examples" 1929 Index 1931 1 1932 110 (warn-code) 30 1933 111 (warn-code) 31 1934 112 (warn-code) 31 1935 113 (warn-code) 31 1936 199 (warn-code) 31 1938 2 1939 214 (warn-code) 31 1940 299 (warn-code) 31 1942 A 1943 age 10 1944 Age header field 20 1946 C 1947 cache 4 1948 cache entry 5 1949 cache key 5 1950 Cache-Control header field 20 1952 D 1953 Disconnected Operation (warn-text) 31 1955 E 1956 Expires header field 27 1957 explicit expiration time 10 1959 F 1960 fresh 10 1961 freshness lifetime 10 1963 G 1964 Grammar 1965 Age 20 1966 Cache-Control 21 1967 cache-directive 21 1968 delta-seconds 5 1969 Expires 27 1970 extension-pragma 28 1971 Pragma 28 1972 pragma-directive 28 1973 warn-agent 29 1974 warn-code 29 1975 warn-date 29 1976 warn-text 29 1977 Warning 29 1978 warning-value 29 1980 H 1981 Heuristic Expiration (warn-text) 31 1982 heuristic expiration time 10 1984 M 1985 max-age (cache directive) 21, 26 1986 max-stale (cache directive) 21 1987 min-fresh (cache directive) 22 1988 Miscellaneous Persistent Warning (warn-text) 31 1989 Miscellaneous Warning (warn-text) 31 1990 must-revalidate (cache directive) 23 1992 N 1993 no-cache (cache directive) 22-23 1994 no-store (cache directive) 22, 24 1995 no-transform (cache directive) 23-24 1997 O 1998 only-if-cached (cache directive) 23 2000 P 2001 Pragma header field 28 2002 private (cache directive) 25 2003 private cache 4 2004 proxy-revalidate (cache directive) 25 2005 public (cache directive) 25 2007 R 2008 Response is Stale (warn-text) 30 2009 Revalidation Failed (warn-text) 31 2011 S 2012 s-maxage (cache directive) 26 2013 shared cache 4 2014 stale 10 2015 strong validator 18 2017 T 2018 Transformation Applied (warn-text) 31 2020 V 2021 validator 15 2023 W 2024 Warning header field 29 2026 Authors' Addresses 2028 Roy T. Fielding (editor) 2029 Adobe Systems Incorporated 2030 345 Park Ave 2031 San Jose, CA 95110 2032 USA 2034 EMail: fielding@gbiv.com 2035 URI: http://roy.gbiv.com/ 2037 Mark Nottingham (editor) 2038 Akamai 2040 EMail: mnot@mnot.net 2041 URI: http://www.mnot.net/ 2043 Julian F. Reschke (editor) 2044 greenbytes GmbH 2045 Hafenweg 16 2046 Muenster, NW 48155 2047 Germany 2049 EMail: julian.reschke@greenbytes.de 2050 URI: http://greenbytes.de/tech/webdav/