8515 – Would be nice to clarify how this interacts with https. Many browsers do not cache https data to disk at all and it would be nice for https based applications to have some way to take advantage of disk based cache for non-sensitive data.

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 8515 - Would be nice to clarify how this interacts with https. Many browsers do not cache https data to disk at all and it would be nice for https based applications to have some way to take advantage of disk based cache for non-sensitive data.

Summary: Would be nice to clarify how this interacts with https. Many browsers do not...

Status:	RESOLVED FIXED

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	pre-LC1 HTML5 spec (editor: Ian Hickson) (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	LC
Assignee:	Ian 'Hixie' Hickson
QA Contact:	HTML WG Bugzilla archive list

URL:	http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-12-17 17:30 UTC by contributor
Modified:	2010-10-04 14:47 UTC (History)
CC List:	4 users (show)

See Also:

Attachments

Description contributor 2009-12-17 17:30:06 UTC

Section: http://www.whatwg.org/specs/web-apps/current-work/#appcache

Comment:
Would be nice to clarify how this interacts with https.  Many browsers do not
cache https data to disk at all and it would be nice for https based
applications to have some way to take advantage of disk based cache for
non-sensitive data.

Posted from: 216.239.45.4

Comment 1 Ian 'Hixie' Hickson 2010-01-10 11:44:54 UTC

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Accepted
Change Description: see diff given below
Rationale: I added a note to the intro about HTTPS.

I also realised that I had made it possible for manifests on one https: origin to cache files marked no-store on other https: origins, which was unintended. I've changed the spec to require that https: manifests only cache same-origin URLs.

Comment 2 contributor 2010-01-10 11:46:37 UTC

Checked in as WHATWG revision r4557.
Check-in comment: Plug a security hole with appcache: don't allow hostile https: servers to cache no-store files on other https: servers. Also, mention that https: apps can be made to work offline.
http://html5.org/tools/web-apps-tracker?from=4556&to=4557