I have a simple question. I googled but no answer found.
I have a page. I want disable cache for the page content.
Yes. I can add Cache-control directive such as
Cache-Control: no-cache, no-store, must-revalidate, max-age: 0
But question is: If there is NO HTTP headers relating to Cache returned such as Cache-Control, Expires, Pragma, Last-Modified, ... Does browser/proxy ever cache response in this case? If yes, when?
Thank you!
RFC-compliant clients can be kept from caching a page through a variety of instructions. However, as far as a browser's history is concerned, anything goes.
If there are no headers suitable for cache validation, neither intermediaries nor clients should consider a response to be cacheable:
A cache MUST NOT store a response to any request, unless […] the response either:
- contains an Expires header field, or
- contains a max-age response directive, or
- contains a s-maxage response directive and the cache is shared, or
- contains a Cache Control Extension that allows it to be cached, or
- has a status code that is defined as cacheable by default, or
- contains a public response directive
A loophole may be those responses with status codes considered to be cacheable by default as per RFC 7231, section 6.1:
Responses with status codes that are defined as cacheable by default (e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, and 501 in this specification) can be reused by a cache with heuristic expiration unless otherwise indicated by the method definition or explicit cache controls
The linked section of RFC 7234 is deliberately vague. My reading is that caches are to interpolate reasonable expiration times based on whatever other headers they can find. This may very well allow expiration times to be based on the parameters of a Set-Cookie header. Going back to section 3, the closing statement reinforces this by stating that
[…] in normal operation, some caches will not store a response that has neither a cache validator nor an explicit expiration time, as such responses are not usually useful to store. However, caches are not prohibited from storing such responses.
Browsers, however, are free to serve pages out of their history at will. From section 6:
The freshness model does not necessarily apply to history mechanisms. That is, a history mechanism can display a previous representation even if it has expired.
In conclusion, intermediaries have a lot of liberties at hand to cache a response with no obvious cache control instructions. Always provided the request method (e.g. GET, HEAD) and the response code (see above) are cacheable in the first place. The browser's cache is supposed to behave like any ordinary intermediary (in a way it is, really), but in the context of the history mechanism, it is free to deliberately ignore all caching mechanisms (present or absent) and load pages directly from its memory.