8515 2009-12-17 17:30:06 +0000 Would be nice to clarify how this interacts with https. Many browsers do not cache https data to disk at all and it would be nice for https based applications to have some way to take advantage of disk based cache for non-sensitive data. 2010-10-04 14:47:42 +0000 1 1 1 Unclassified HTML WG pre-LC1 HTML5 spec (editor: Ian Hickson) unspecified Other other RESOLVED FIXED http://www.whatwg.org/specs/web-apps/current-work/#appcache P3 normal LC 1 contributor ian ian mike public-html-admin public-html-wg-issue-tracking public-html-bugzilla oldest_to_newest 30192 0 contributor 2009-12-17 17:30:06 +0000 Section: http://www.whatwg.org/specs/web-apps/current-work/#appcache Comment: Would be nice to clarify how this interacts with https. Many browsers do not cache https data to disk at all and it would be nice for https based applications to have some way to take advantage of disk based cache for non-sensitive data. Posted from: 216.239.45.4 30838 1 ian 2010-01-10 11:44:54 +0000 EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Accepted Change Description: see diff given below Rationale: I added a note to the intro about HTTPS. I also realised that I had made it possible for manifests on one https: origin to cache files marked no-store on other https: origins, which was unintended. I've changed the spec to require that https: manifests only cache same-origin URLs. 30839 2 contributor 2010-01-10 11:46:37 +0000 Checked in as WHATWG revision r4557. Check-in comment: Plug a security hole with appcache: don't allow hostile https: servers to cache no-store files on other https: servers. Also, mention that https: apps can be made to work offline. http://html5.org/tools/web-apps-tracker?from=4556&to=4557