tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zampani, Michael" <>
Subject RE: Cache-Control headers not being added to secure requests
Date Tue, 23 Aug 2011 20:40:07 GMT

Should I file a bug report for this?  It's only a 1 line diff.


-----Original Message-----
From: Mark Thomas [] 
Sent: Tuesday, August 23, 2011 12:49 PM
To: Tomcat Users List
Subject: Re: Cache-Control headers not being added to secure requests

On 23/08/2011 19:09, Zampani, Michael wrote:
> Chris,
> Doesn't the entire securePagesWithPragma flag fail the robustness 
> principle?  It's specifically there to fix caching issues with IE, 
> similar to the issue we're now seeing.
> I understand how I would create a Filter to do this, but I'm trying to 
> understand why this behavior was removed from Tomcat itself, while 
> other IE specific logic remains.
> It seems as though the kernel of logic here is that 'pages with 
> security-constraints' should have these headers automatically added. 
> There should be a specific reason to add the additional
> isSecure() check.
> For example, there is a clear reason the POST check was added. 
> But I 
> cannot find a similar argument for checking isSecure

The isSecure() check pre-dates my involvement with the project. I did some digging and this
is the reason:

It looks very much like a work-around for an IE bug, almost certainly the same one that securePagesWithPragma
is intended to fix. On that basis, I'm not against removing the request.isSecure() check.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message