meaning of multiple values in cache-control header

3
votes

I've read about single cache-control header value. To test what I learned, I opened facebook and inspect. This is the Cache-Control response header I get:

cache-control:private, no-cache, no-store, must-revalidate

I am confused what this header actually tells, because it contains 4 values at once. So what happens with the resource send through the network, if it contains such header?

EDIT:

no-store says, "do not store at all, not in private not public caches", and no-cache says "yeees you can cache, but make sure you revalidate for freshness when resource is requested". Private says "you can store in the private caches". It cant do all 3 at the same time. But yet, here we are having them send in response at the same time. Looks like there are some additional rules I am not aware of.

2
httpcachingbrowser-cachecache-controlhttp-caching
Read the spec? greenbytes.de/tech/webdav/rfc7234.html#cache-response-directiveJulian Reschke
I know what they mean separate, I don't know what to think about them when there are more than one. no-cache and no-store mean different things and cannot be obeyed at the same time for example.sanjihan
no-cache does not say “you can cache.” private does, and so it does contradict no-store in theory, but this not a problem in practice.Vasiliy Faronov

2 Answers

4
votes

RFC 7234 is a good reference for the precise meaning of the headers.

no-cache and no-store mean different things and cannot be obeyed at the same time for example.

They absolutely can. The directives are redundant, but not contradictory. no-cache:

indicates that a cache MUST NOT use a stored response to satisfy the request without successful validation on the origin server.

and no-store:

indicates that a cache MUST NOT store any part of either this request or any response to it.

As no-store is essentially stricter than no-cache, the result is effectively no-store. Similarly for the other headers; I believe:

Cache-control: no-store

would be a simpler way to get the same result. However, it's possible that the header you're seeing is a combination of advice, rather than an intentionally consistent policy.

Note that, as the spec says, duplicated directives may be invalid:

When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale.

but I don't believe that's the case here.