Will content requested over https still be cached by web browsers or do they consider this insecure behaviour? If this is the case is there anyway to tell them it's ok to cache?
Will web browsers cache content over https
Yes browsers will cache content over HTTPS check this link neopatel.blogspot.com/2010/02/… –
Bronchitis
@KalpeshPatel, That depends on the user settings. Some have set caching to disabled for all HTTPS pages blogs.msdn.com/b/ieinternals/archive/2010/04/21/… –
Maudmaude
By default web browsers should cache content over HTTPS the same as over HTTP, unless explicitly told otherwise via the HTTP Headers received.
This link is a good introduction to setting cache setting in HTTP headers.
is there anyway to tell them it's ok to cache?
This can be achieved by setting the max-age value in the Cache-Control header to a non-zero value, e.g.
Cache-Control: max-age=3600
will tell the browser that this page can be cached for 3600 seconds (1 hour)
If a user were to visit mysite.com and download style.css, when they go to mysite.com would style.css get requested again? –
Sandarac
I'm not sure we're all on the same page here. Are we talking about whether HTTPS content will be cached by default, or are asking if it will be cached assuming certain HTTP response headers? The link to the web caching tutorial that you linked to from Mark Nottingham actually indicates that secure (i.e. HTTPS) or authenticated content will not be cached unless the cache-control header indicates that it's public content. –
Diadiabase
Stumbled upon a nice article: blog.httpwatch.com/2011/01/28/top-7-myths-about-https –
Rancher
Firefox removed the requirement for Cache-Control: public years ago. –
Effendi
This statement "web browsers should cache content over HTTPS" is wrong to me. Why they should to it? Plus, please check comment below a person from chromium team "code.google.com/p/chromium/issues/detail?id=110649#c6" He says "In fact nothing is being cached (on the persistent cache)" –
Fearnought
@Teomanshipahi "Why they should to it?" - Because they are HTTP compliant. "He says 'In fact nothing is being cached (on the persistent cache)'" - That comment refers to the incident, not to the browser in general. –
Ventage
@Teomanshipahi Why should they cache?? uuh... because of the same reason why they should cache HTTP, for performance, network relief. Why shouldn't they cache? should be the question. –
Biplane
Knowing this, this is an explicit kind of Meltdown/Specter kind of attack. Very secure... LOL... –
Meryl
As of 2010, all modern, current-ish browsers cache HTTPS content by default, unless explicitly told not to.
It is not required to set cache-control:public for this to happen.
It appears then, that the general trend is towards allowing caching of HTTPS objects; this is normally a Good Thing, as developers should be telling the browser not to cache objects at all if they are privacy-sensitive, and allowing it to do so when they are not (e.g. images, css, which is very performance-benficial especially on HTTPS). Thanks for that. –
Rozanna
Is it RFC-compliant to auto cache HTTPS resources without
cache-control:public? –
Maudmaude @Maudmaude browsers consider RFC literal "request for comments". most often RFCs change to reflect what is already on browsers. –
Realty
By default web browsers should cache content over HTTPS the same as over HTTP, unless explicitly told otherwise via the HTTP Headers received.
This link is a good introduction to setting cache setting in HTTP headers.
is there anyway to tell them it's ok to cache?
This can be achieved by setting the max-age value in the Cache-Control header to a non-zero value, e.g.
Cache-Control: max-age=3600
will tell the browser that this page can be cached for 3600 seconds (1 hour)
If a user were to visit mysite.com and download style.css, when they go to mysite.com would style.css get requested again? –
Sandarac
I'm not sure we're all on the same page here. Are we talking about whether HTTPS content will be cached by default, or are asking if it will be cached assuming certain HTTP response headers? The link to the web caching tutorial that you linked to from Mark Nottingham actually indicates that secure (i.e. HTTPS) or authenticated content will not be cached unless the cache-control header indicates that it's public content. –
Diadiabase
Stumbled upon a nice article: blog.httpwatch.com/2011/01/28/top-7-myths-about-https –
Rancher
Firefox removed the requirement for Cache-Control: public years ago. –
Effendi
This statement "web browsers should cache content over HTTPS" is wrong to me. Why they should to it? Plus, please check comment below a person from chromium team "code.google.com/p/chromium/issues/detail?id=110649#c6" He says "In fact nothing is being cached (on the persistent cache)" –
Fearnought
@Teomanshipahi "Why they should to it?" - Because they are HTTP compliant. "He says 'In fact nothing is being cached (on the persistent cache)'" - That comment refers to the incident, not to the browser in general. –
Ventage
@Teomanshipahi Why should they cache?? uuh... because of the same reason why they should cache HTTP, for performance, network relief. Why shouldn't they cache? should be the question. –
Biplane
Knowing this, this is an explicit kind of Meltdown/Specter kind of attack. Very secure... LOL... –
Meryl
Https is cached by default. This is managed by a global setting that cannot be overridden by application-defined cache directives. To override the global setting, select the Internet Options applet in the control panel, and go to the advanced tab. Check the "Do not save encrypted pages to disk" box under the "Security" section, but the use of HTTPS alone has no impact on whether or not IE decides to cache a resource.
WinINet only caches HTTP and FTP responses not HTTPS response. https://msdn.microsoft.com/en-us/library/windows/desktop/aa383928%28v=vs.85%29.aspx
© 2022 - 2024 — McMap. All rights reserved.