HTTP 标头“Cache-Control: public”有什么风险?
Cache-Control
HTTP/1.1 标头可以指定 max-age 以及缓存内容是否可以是公共的或私有的,指示中间缓存是否可以缓存该内容。
例如,Ruby on Rails 的 expires_in()
默认使用 Cache-Control: private
将其公开有什么风险?如果它是公共的,哪些额外的地方可以缓存内容——例如,它会是代理服务器吗?
如果网站像 Amazon.com,但用户是匿名的,那么可能不存在太多隐私问题?如果用户登录了,会不会存在隐私问题,因为数据经过地方,数据是可见的。如果该位置想要“坏”,那么它确实不需要关心 Cache-Control: private
。
如果这是一个用户可以登录的网站,但该网站只搜索鱼油、维生素等保健品怎么办?在这种情况下,涉及的隐私就更少了,因为它不像亚马逊,那里有更多种类的产品,例如用户可以真正更关心隐私问题的书籍。
话虽如此,拥有 Cache-Control: public
的额外优势是什么?
The Cache-Control
HTTP/1.1 header can specify max-age as well as whether the cache content can be public or private, indicating whether intermediate cache can cache the content.
For example, Ruby on Rails's expires_in()
defaults to using Cache-Control: private
What is the risk of making it public? If it is public, which extra places can cache the content -- would it be a proxy server, for example?
What if the website is like Amazon.com, but the user is anonymous, then probably there is not much privacy issue? What if the user is logged in, could there be privacy issue, because the data passes through places and the data is visible. If that location wants to be "bad", it really doesn't need to care about the Cache-Control: private
anyway.
What if it is a website where user can be logged in, but the website only search for health products like fish oil and vitamins, and so forth. In that case, there is even less privacy involved because it is unlike Amazon.com where there are a lot more variety of products such as books for which a user can really care more about privacy issue.
Having said that, what is the additional advantage of have Cache-Control: public
?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Cache-Control: Public
的问题是响应可能会被缓存并显示给不同的用户。如果您有一个经过身份验证的应用程序显示私有数据,这就会出现问题。一般来说,您应该只对静态页面或无论哪个用户发出请求都返回相同数据的页面使用 public。The problem with
Cache-Control: Public
is that the response may be cached and displayed to a different user. This is a problem if you have an authenticated application that is displaying private data. In general, you should only use public for static pages, or pages that return the same data no matter what user is making the request.我进一步找到了以下规范:
http://www.w3。 org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1
所以看起来更多的是“共享缓存”而不是中间缓存。
I further found the following spec:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1
So it looks like it is more about "shared cache" instead of intermediate cache.