Open Bug 1385980 Opened 3 years ago Updated 1 month ago

Access-Control-Max-Age value to disable caching

Categories

(Developer Documentation :: Protocols, defect, P5)

All
Other
defect

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: paul.spangler, Unassigned)

References

()

Details

:: Developer Documentation Request

      Request Type: Correction
     Gecko Version: unspecified
 Technical Contact: 

:: Details

The current doc for the Access-Control-Max-Age header states that "A value of -1 will disable caching, requiring a preflight OPTIONS check for all calls." However, the header's value is documented to be of type delta-seconds, which is an unsigned integer (1*DIGIT, see [1]).

Additionally, the fetch spec doesn't mention -1 anywhere, but does refer to treating the value as 0 on error [2]. Looking through the Chrome code since that's what I had at hand, it treats -1 as a parse failure and falls back to its own default value (5 seconds) rather than disabling caching. On the other hand, setting Access-Control-Max-Age to 0 appears to actually disable caching.

I think the documentation should say that "A value of 0 will disable caching" instead.

[1] https://tools.ietf.org/html/rfc7234#section-1.2.1
[2] https://fetch.spec.whatwg.org/#cors-preflight-fetch

FWIW there is a WPT test to ensure that max-age=-1 disables caching. It is true that according to the spec the -1 value isn't allowed but still that is something that servers can send browsers, so it's good to agree among browsers how it should be handled.

You need to log in before you can comment on or make changes to this bug.