------------------------------------------------------------
revno: 11732
revision-id: squid3@treenet.co.nz-20121130133838-mcylzju1alj6k2x1
parent: squid3@treenet.co.nz-20121130133544-l4a77h76rwphtpmd
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.2
timestamp: Fri 2012-11-30 06:38:38 -0700
message:
  Treat no-cache as must-revalidate in Authentication
  
  Wrapped as a violation because this operation is off-spec.
  
  CC:no-cache was omitted from the HTTP spec apparently on grounds that
  changing its caching effects on authentication would come as a surprise.
  The actual operation is safe enough to use when parameterless no-cache
  is treated strictly as an alias for must-revalidate (as done by Squid now).
  
  Ref: http://lists.w3.org/Archives/Public/ietf-http-wg/2012OctDec/0387.html
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20121130133838-mcylzju1alj6k2x1
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_2
# testament_sha1: 454a2f1a8f911a11bde536677f67a2d421779a64
# timestamp: 2012-11-30 13:41:55 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_2
# base_revision_id: squid3@treenet.co.nz-20121130133544-\
#   l4a77h76rwphtpmd
# 
# Begin patch
=== modified file 'src/http.cc'
--- src/http.cc	2012-10-20 12:32:21 +0000
+++ src/http.cc	2012-11-30 13:38:38 +0000
@@ -395,25 +395,28 @@
             return 0;
         }
 
-        // HTTPbis pt7 section 4.1 clause 3: a response CC:public is present
         bool mayStore = false;
+        // HTTPbis pt6 section 3.2: a response CC:public is present
         if (rep->cache_control->Public()) {
             debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public");
             mayStore = true;
 
-            // HTTPbis pt7 section 4.1 clause 2: a response CC:must-revalidate is present
+            // HTTPbis pt6 section 3.2: a response CC:must-revalidate is present
         } else if (rep->cache_control->mustRevalidate() && !REFRESH_OVERRIDE(ignore_must_revalidate)) {
             debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public");
             mayStore = true;
 
-#if 0 // waiting on HTTPbis WG agreement before we do this
+#if USE_HTTP_VIOLATIONS
             // NP: given the must-revalidate exception we should also be able to exempt no-cache.
-        } else if (rep->cache_control->noCache()) {
-            debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:no-cache");
+            // HTTPbis WG verdict on this is that it is omitted from the spec due to being 'unexpected' by
+            // some. The caching+revalidate is not exactly unsafe though with Squids interpretation of no-cache
+            // as equivalent to must-revalidate in the reply.
+        } else if (rep->cache_control->noCache() && !REFRESH_OVERRIDE(ignore_must_revalidate)) {
+            debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:no-cache (equivalent to must-revalidate)");
             mayStore = true;
 #endif
 
-            // HTTPbis pt7 section 4.1 clause 1: a response CC:s-maxage is present
+            // HTTPbis pt6 section 3.2: a response CC:s-maxage is present
         } else if (rep->cache_control->sMaxAge()) {
             debugs(22, 3, HERE << " Authenticated but server reply Cache-Control:s-maxage");
             mayStore = true;