: Cache a resource across HTTP and HTTPS Is there a way to specify that a resource should be cached when accessed over both HTTP and HTTPS? We have lots of static content that is initially
Is there a way to specify that a resource should be cached when accessed over both HTTP and HTTPS? We have lots of static content that is initially served over HTTP and then re-served over SSL when the user tries to sign up or login, and it would be nice to cache that.
More posts by @Samaraweera270
2 Comments
Sorted by latest first Latest Oldest Best
No, browsers will treat HTTP and HTTPS URLs as completely different, even if the only actual difference is the presence of the s.
If they did not, this would create a serious security hole. Consider what would happen if, say, an attacker managed to tamper with a JS file loaded over insecure HTTP, and the browser later re-ran the same JS code from its cache on a secure page.
The only way you can reuse the same static resources on both secure and insecure pages is to load them from the exact same URLs. Here, you have basically two choices:
Use HTTPS for your static resources, even when the main page is loaded over HTTP. This will work and is secure, but the use of HTTPS will impose a small CPU cost and will prevent shared proxies from caching the resources. However, the user's browser will still cache them, and it's still possible to use a reverse proxy or a CDN to serve the resources, as long as they can act as trusted SSL endpoints.
Use HTTP for your static resources, even when the main page is loaded over HTTPS. This may also work in some browsers, but it's not secure. Even browsers where it does work will usually warn the user about the presence of insecure content or just treat the whole page as insecure. For example, IE8 will display a "mixed content" warning, while IE9 just won't load the insecure resources (except for images).
Of course, you also have a third option: just use HTTPS for all of your pages. This might be more practical than you'd think, especially if a substantial fraction of your traffic is already using HTTPS.
I have not found anything that specifically states how browsers should handle sharing https and http cached content, and I have found conflicting information online as well.
For example: I cleared my cache in Firefox, visited www.google.com, reviewed my disk cache (type about:cache in the url bar), and then visited www.google.com.
Even though both http and https cached content, the https site did not fetch cached http resources. Anyway, here are a few articles that could be useful:
www.mnot.net/cache_docs/ http://www.web-caching.com/welcome.html www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13
Hope this helps!
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.