Hi there 👋,
Greetings from the Django community. I am raising an issue that came up in the Django 6.1 development process and has been raised here:
mdn/content#44021
https://forum.djangoproject.com/t/should-we-make-it-harder-to-cache-responses-containing-csp-nonces/45065
It concerns 7.1 nonce reuse.
I would like to gain clarity on the cache implementation of cache proxies (CDNs).
My understanding is RFC 7234 caches like CDNs should NOT cache responses if a nonce-sources is present in the policy or regenerate them (which nginx and others can do already). Meaning they would NOT require additional instructions via cache-control headers.
If that is not the case, applications would need to set explicit cache-control headers (like "private") to achieve a correct caching behavior.
In both cases, this would require updates to Django's cache middleware or CSP middleware. So your input is greatly appreciated!
Best,
Joe
Hi there 👋,
Greetings from the Django community. I am raising an issue that came up in the Django 6.1 development process and has been raised here:
mdn/content#44021
https://forum.djangoproject.com/t/should-we-make-it-harder-to-cache-responses-containing-csp-nonces/45065
It concerns 7.1 nonce reuse.
I would like to gain clarity on the cache implementation of cache proxies (CDNs).
My understanding is RFC 7234 caches like CDNs should NOT cache responses if a nonce-sources is present in the policy or regenerate them (which nginx and others can do already). Meaning they would NOT require additional instructions via cache-control headers.
If that is not the case, applications would need to set explicit cache-control headers (like "private") to achieve a correct caching behavior.
In both cases, this would require updates to Django's cache middleware or CSP middleware. So your input is greatly appreciated!
Best,
Joe