-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael,
On 8/23/2011 2:09 PM, Zampani, Michael wrote: > It seems as though the kernel of logic here is that 'pages with > security-constraints' should have these headers automatically > added. There should be a specific reason to add the additional > isSecure() check. I believe Mark's argument was that web browsers are violating the some spec if they cache secure pages. Tomcat should not have to set such cache-control headers for secure requests, so it's being instructed not to do so. The fact that RFC 2616 does not mention anything about HTTPS and caching is not surprising -- it's the HTTP RFC not the HTTPS RFC. Honestly, I couldn't find anywhere a reference to any spec that explicitly says what Mark suggests, but it was my general understanding to be the case. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5T+zkACgkQ9CaO5/Lv0PByKACfZli2aoRMAAaRjATrk+F/0fuc WWAAnjj4duJJm5RtcwYgtz/vuADU5VEp =QOZa -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
