Difference between no-cache and must-revalidate

2019-01-07 02:52发布

From the RFC 2616

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1

no-cache

If the no-cache directive does not specify a field-name, then a cache MUST NOT use the response to satisfy a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent caching even by caches that have been configured to return stale responses to client requests.

So it directs agents to revalidate all responses.

Compared this to

must-revalidate

When the must-revalidate directive is present in a response received by a cache, that cache MUST NOT use the entry after it becomes stale to respond to a subsequent request without first revalidating it with the origin server

So it directs agents to revalidate stale responses.

Particularly with regard to no-cache, is this how user agents actually, empirically treat this directive?

What's the point of no-cache if there's must-revalidate and max-age?

See this comment:

http://palpapers.plynt.com/issues/2008Jul/cache-control-attributes/

no-cache

Though this directive sounds like it is instructing the browser not to cache the page, there’s a subtle difference. The “no-cache” directive, according to the RFC, tells the browser that it should revalidate with the server before serving the page from the cache. Revalidation is a neat technique that lets the application conserve band-width. If the page the browser has cached has not changed, the server just signals that to the browser and the page is displayed from the cache. Hence, the browser (in theory, at least), stores the page in its cache, but displays it only after revalidating with the server. In practice, IE and Firefox have started treating the no-cache directive as if it instructs the browser not to even cache the page. We started observing this behavior about a year ago. We suspect that this change was prompted by the widespread (and incorrect) use of this directive to prevent caching.

Has anyone got anything more official on this?

Update

The must-revalidate directive ought to be used by servers if and only if failure to validate a request on the representation could result in incorrect operation, such as a silently unexecuted financial transaction.

That's something I've never taken to heart until now. The RFC is saying not to use must-revalidate lightly. The thing is, with web services, you have to take a negative view and assume the worst for your unknown client apps. Any stale resource has the potential to cause a problem.

And something else I've just considered, without Last-Modified or ETags, the browser can only fetch the whole resource again. However with ETags, I've observed that Chrome at least seems to revalidate on every request. Which makes both these directives moot or at least poorly named since they can't properly revalidate unless the request also includes other headers that then cause 'always revalidate' anyway.

I just want to make that last point clearer. By just setting must-revalidate but not including either an ETag or Last-Modified, the agent can only get the content again since it has nothing to send to the server to compare.

However, my empirical testing has shown that when ETag or modified header data is included in responses, the agents always revalidate anyway, regardless of the presence of the must-revalidate header.

So the point of must-revalidate is to force a 'bypass cache' when it goes stale, which can only happen when you have set a lifetime/age, thus if must-revalidate is set on a response with no age or other headers, it effectively becomes equivalent to no-cache since the response will be considered immediately stale.

-- So I'm going to finally mark Gili's answer!

标签: http
4条回答
趁早两清
2楼-- · 2019-01-07 03:20

max-age=0, must-revalidate and no-cache aren't exactly identical. With must-revalidate, if the server doesn't respond to a revalidation request, the browser/proxy is supposed to return a 504 error. With no-cache, it would just show the cached content, which would be probably preferred by the user (better to have something stale than nothing at all). This is why must-revalidate is intended for critical transactions only.

查看更多
We Are One
3楼-- · 2019-01-07 03:27

I believe that must-revalidate means "once the cache expires, refuse to return stale responses to the user even if they say that stale responses are acceptable". Whereas no-cache implies must-revalidate plus the fact the response becomes stale right away.

If a response is cacheable for 10 seconds, then must-revalidate kicks in after 10 seconds, whereas no-cache implies must-revalidate after 0 seconds.

At least, that's my interpretation.

查看更多
家丑人穷心不美
4楼-- · 2019-01-07 03:33

I think there is a difference between max-age=0, must-revalidate and no-cache:

In the must-revalidate case the client is allowed to send a If-Modified-Since request and serve the response from cache if 304 Not Modified is returned.

In the no-cache case, the client must not cache the response, so should not use If-Modified-Since.

查看更多
贪生不怕死
5楼-- · 2019-01-07 03:42

With Jeffrey Fox's interpretation about no-cache, i've tested under chrome 52.0.2743.116 m, the result shows that no-cache has the same behavior as must-revalidate, they all will NOT use local cache when server is unreachable, and, they all will use cache while tap browser's Back/Forward button when server is unreachable. As above, i think max-age=0, must-revalidate is identical to no-cache, at least in implementation.

查看更多
登录 后发表回答