------------------------------------------------------------
revno: 12419
revision-id: squid3@treenet.co.nz-20121129103807-y4pu52dw0mji6kr7
parent: squid3@treenet.co.nz-20121129103722-026c5061p2pxzkge
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.3
timestamp: Thu 2012-11-29 03:38:07 -0700
message:
  Treat no-cache and must-revalidate in Authentication
  
  Wrapped as a violation because this operation is off-spec.
  
  CC:no-cache was omitted from the HTTP spec apparently on grounds that
  changing its caching effects on authentication would come as a surprise.
  The actual operation is safe enough to use when parameterless no-cache
  is treated strictly as an alias for must-revalidate (as done by Squid now).
  
  Ref: http://lists.w3.org/Archives/Public/ietf-http-wg/2012OctDec/0387.html
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20121129103807-y4pu52dw0mji6kr7
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# testament_sha1: 53f0d56489b084b2e2a2a910bf10a650ab0e3f13
# timestamp: 2012-11-29 10:40:27 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# base_revision_id: squid3@treenet.co.nz-20121129103722-\
#   026c5061p2pxzkge
# 
# Begin patch
=== modified file 'src/http.cc'
--- src/http.cc	2012-10-20 11:29:46 +0000
+++ src/http.cc	2012-11-29 10:38:07 +0000
@@ -409,25 +409,28 @@
             return 0;
         }
 
-        // HTTPbis pt7 section 4.1 clause 3: a response CC:public is present
         bool mayStore = false;
+        // HTTPbis pt6 section 3.2: a response CC:public is present
         if (rep->cache_control->Public()) {
             debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public");
             mayStore = true;
 
-            // HTTPbis pt7 section 4.1 clause 2: a response CC:must-revalidate is present
+            // HTTPbis pt6 section 3.2: a response CC:must-revalidate is present
         } else if (rep->cache_control->mustRevalidate() && !REFRESH_OVERRIDE(ignore_must_revalidate)) {
             debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public");
             mayStore = true;
 
-#if 0 // waiting on HTTPbis WG agreement before we do this
+#if USE_HTTP_VIOLATIONS
             // NP: given the must-revalidate exception we should also be able to exempt no-cache.
-        } else if (rep->cache_control->noCache()) {
-            debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:no-cache");
+            // HTTPbis WG verdict on this is that it is omitted from the spec due to being 'unexpected' by
+            // some. The caching+revalidate is not exactly unsafe though with Squids interpretation of no-cache
+            // as equivalent to must-revalidate in the reply.
+        } else if (rep->cache_control->noCache() && !REFRESH_OVERRIDE(ignore_must_revalidate)) {
+            debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:no-cache (equivalent to must-revalidate)");
             mayStore = true;
 #endif
 
-            // HTTPbis pt7 section 4.1 clause 1: a response CC:s-maxage is present
+            // HTTPbis pt6 section 3.2: a response CC:s-maxage is present
         } else if (rep->cache_control->sMaxAge()) {
             debugs(22, 3, HERE << " Authenticated but server reply Cache-Control:s-maxage");
             mayStore = true;