tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zampani, Michael" <>
Subject RE: Cache-Control headers not being added to secure requests
Date Tue, 23 Aug 2011 18:09:17 GMT

Doesn't the entire securePagesWithPragma flag fail the robustness principle?  It's specifically
there to fix caching issues with IE, similar to the issue we're now seeing. 

I understand how I would create a Filter to do this, but I'm trying to understand why this
behavior was removed from Tomcat itself, while other IE specific logic remains.

It seems as though the kernel of logic here is that 'pages with security-constraints' should
have these headers automatically added.
There should be a specific reason to add the additional isSecure() check.

For example, there is a clear reason the POST check was added.
But I cannot find a similar argument for checking isSecure


-----Original Message-----
From: Christopher Schultz [] 
Sent: Tuesday, August 23, 2011 6:48 AM
To: Tomcat Users List
Subject: Re: Cache-Control headers not being added to secure requests

Hash: SHA1


On 8/22/2011 5:39 PM, Zampani, Michael wrote:
> However, I'm still confused about
>> - {request.isSecure()} means that the headers are only added if the 
>> request is not secure since responses from secure requests must not 
>> be cached
> I don't see anything regarding secure requests in RFC2616
> or
> RFC2818
> Also, since the code in question is limiting the cacheability of the 
> response, what is the downside of sending the no-cache header on 
> secure requests?

> I ask because we're seeing problems with IE8 caching these responses 
> where it previously did not when the headers were being automatically 
> appended.
> While it may be a client problem, it seems like the change that was 
> removed was made to work around a similar client problem.

You should be able to fix this with a simple Filter of your own design. If you need help with
such a Filter, just ask.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message