当没有返回与缓存相关的 headers 时,浏览器是否会进行缓存响应?
Does browser ever do cache response when no headers relating to cache returned?
我有一个简单的问题。我用谷歌搜索但没有找到答案。
我有一个页面。我想禁用页面内容的缓存。
是的。我可以添加 Cache-control 指令,例如
Cache-Control: no-cache, no-store, must-revalidate, max-age: 0
但问题是:如果没有与返回的缓存相关的 HTTP headers,例如 Cache-Control、Expires、Pragma,Last-Modified , ... 在这种情况下 browser/proxy 曾经缓存过响应吗?如果是,什么时候?
谢谢!
RFC-compliant 客户端可以通过 variety of instructions. However, as far as a browser's history is concerned, anything goes.
来阻止缓存页面
如果没有适合缓存验证的header,中介和客户端都不应该认为响应是可缓存的:
A cache MUST NOT store a response to any request, unless […] the response either:
- contains an Expires header field, or
- contains a max-age response directive, or
- contains a s-maxage response directive and the cache is shared, or
- contains a Cache Control Extension that allows it to be cached, or
- has a status code that is defined as cacheable by default, or
- contains a public response directive
,默认情况下状态代码被认为可缓存的那些响应可能存在漏洞
Responses with status codes that are defined as cacheable by default (e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, and 501 in this specification) can be reused by a cache with heuristic expiration unless otherwise indicated by the method definition or explicit cache controls
RFC 7234 的链接部分故意含糊不清。我的理解是,缓存将根据它们可以找到的任何其他 header 插入合理的过期时间。这很可能允许过期时间基于 Set-Cookie header 的参数。回到第 3 节,结束语通过声明
强化了这一点
[…] in normal operation, some caches will not store a response that has neither a cache validator nor an explicit expiration time, as such responses are not usually useful to store. However, caches are not prohibited from storing such responses.
但是,浏览器可以随意提供历史记录之外的页面。来自第 6 节:
The freshness model does not necessarily apply to history mechanisms. That is, a history mechanism can display a previous representation even if it has expired.
总而言之,中介机构手头有很多自由来缓存没有明显缓存控制指令的响应。始终提供请求方法(例如 GET、HEAD)和响应代码(见上文)首先是可缓存的。浏览器的缓存应该表现得像任何普通的中介(在某种程度上确实如此),但在历史机制的上下文中,它可以自由地故意忽略所有缓存机制(存在或不存在)并直接从其加载页面内存。
我有一个简单的问题。我用谷歌搜索但没有找到答案。
我有一个页面。我想禁用页面内容的缓存。
是的。我可以添加 Cache-control 指令,例如
Cache-Control: no-cache, no-store, must-revalidate, max-age: 0
但问题是:如果没有与返回的缓存相关的 HTTP headers,例如 Cache-Control、Expires、Pragma,Last-Modified , ... 在这种情况下 browser/proxy 曾经缓存过响应吗?如果是,什么时候?
谢谢!
RFC-compliant 客户端可以通过 variety of instructions. However, as far as a browser's history is concerned, anything goes.
来阻止缓存页面如果没有适合缓存验证的header,中介和客户端都不应该认为响应是可缓存的:
,默认情况下状态代码被认为可缓存的那些响应可能存在漏洞A cache MUST NOT store a response to any request, unless […] the response either:
- contains an Expires header field, or
- contains a max-age response directive, or
- contains a s-maxage response directive and the cache is shared, or
- contains a Cache Control Extension that allows it to be cached, or
- has a status code that is defined as cacheable by default, or
- contains a public response directive
Responses with status codes that are defined as cacheable by default (e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, and 501 in this specification) can be reused by a cache with heuristic expiration unless otherwise indicated by the method definition or explicit cache controls
RFC 7234 的链接部分故意含糊不清。我的理解是,缓存将根据它们可以找到的任何其他 header 插入合理的过期时间。这很可能允许过期时间基于 Set-Cookie header 的参数。回到第 3 节,结束语通过声明
[…] in normal operation, some caches will not store a response that has neither a cache validator nor an explicit expiration time, as such responses are not usually useful to store. However, caches are not prohibited from storing such responses.
但是,浏览器可以随意提供历史记录之外的页面。来自第 6 节:
The freshness model does not necessarily apply to history mechanisms. That is, a history mechanism can display a previous representation even if it has expired.
总而言之,中介机构手头有很多自由来缓存没有明显缓存控制指令的响应。始终提供请求方法(例如 GET、HEAD)和响应代码(见上文)首先是可缓存的。浏览器的缓存应该表现得像任何普通的中介(在某种程度上确实如此),但在历史机制的上下文中,它可以自由地故意忽略所有缓存机制(存在或不存在)并直接从其加载页面内存。