Name:
Network Transparent Proxies Break Client Cache Directives
Classification:
Architecture
Description:
HTTP is designed for the client to be aware if it is connected to
an origin server or to a proxy. Clients who believe they are
transacting with an origin server but are really in a connection
with a network transparent proxy may fail to send critical
cache-control information they would have otherwise included in
their request.
Significance:
High
Implications:
Clients may receive data that is not synchronized with the origin
even when they request an end to end refresh because of the lack
of inclusion of either a cache-control: no-cache or
must-revalidate header. These headers have no impact on origin
server behavior so may not be included by the browser if it
believes it is connected to that resource. Other related data
implications are possible as well. For instance data security may
be compromised by the lack of inclusion of private or no-store
clauses of the cache-control header under similar conditions.
Indications:
Easily detected by placing fresh (un-expired) content on a proxy
while changing the authoritative copy and requesting an end to end
reload of the data through a proxy in both transparent and
explicit modes.
Solution(s):
Eliminate the need for network transparent proxies and IP spoofing
which will return correct context awareness to the client.
Workaround:
Include relevant cache-control: directives in every request at the
cost of increased bandwidth and CPU requirements.
Contact:
Patrick McManus <mcmanus@AppliedTheory.com>
[ Not part of problem report.. There seems to be a trend not to name
names, I'm not sure if that's on purpose or not.. in any event this is
a real operational problem interacting with at least some versions of
IE, though IE is completely in-spec on the issue.. it's an
architecture problem.. ]
This archive was generated by hypermail 2b29 : Thu Nov 18 2004 - 11:21:26 MST