15

I've been investigating the Pragma header, since there are already two other cache-busting HTTP response headers (Cache-Control & Expires), and I was interested in which browsers use(d) the old HTTP 1.0 one.

It turns out the spec only defines Pragma behavior (no-cache) for HTTP 1.0 requests, not responses.

The only specific browser mentions I can find is for IE4, which seems to require 32 KB of content before honoring it as a <meta> element, meaning that as a header it never worked even when that browser was relevant, and Netscape 4 which apparently also didn't work.

OWASP seems to be recommending this header, and a few big sites use it, but it seems a lot like it got started as a "just in case", was never actually supported, and perpetuated as a superstition.

Has anyone observed a reproducible (and desirable) change in behavior by using the Pragma HTTP header in a response, distinct from the functionality of Cache-Control or Expires?

Community
  • 1
brianary
  • 151
  • 7
  • http://stackoverflow.com/questions/10314174/difference-between-pragma-and-cache-control-headers – smali Apr 22 '15 at 05:09
  • @ali786 The accepted answer for that question is wrong, and the other focuses only on the correct usage of the header. I'm interested in real software examples where implementors may have misread the spec and a response's Pragma header has a different effect than the Cache-Control or Expires headers. OWASP is recommending it as a response header —but is there any reason to? – brianary Apr 22 '15 at 05:22
  • In it's possible role in informing caching behavior for proxies along the communication path, it seem reasonable to think that the server might want to ensure a particular kind of response not be cached.... regardless of the state of that 'thinking' at the time of the request. Is that the kind of thing that you mean? – Rondo Apr 24 '15 at 05:23
  • @Rondo No. I'm trying to tell if the Pragma header in particular achieves that need, any more than the Cache-Control or Expires headers already do, or if it's just being employed superstitiously. – brianary Apr 24 '15 at 05:37
  • @brianary My understanding is that with HTTP/1.0 responses, no-cache and no-store Cache-Control directives are ignored in some browsers like older IE versions (8, 9 ish) and that Pragma no-cache works, but only with SSL connections in ie8 and early ie9. – Rondo Apr 25 '15 at 02:05
  • @Rondo Check out the answer below; IE supported Cache-Control as far back as version 4, at least. If you've got specific examples of software that support Pragma but not Cache-Control, that's what I'm looking for. – brianary Apr 25 '15 at 03:45
  • Current versions? Squid proxy used to put Pragma ahead of Cache-Control in priority, and it also did so with response headers. – Rondo Apr 26 '15 at 23:33
  • @Rondo Yes, that's linked below as well. Pragma ranked higher, but didn't do anything *differently*, it was just an alias for Cache-Control. – brianary Apr 27 '15 at 00:21
  • Squid: "Due to some old server software Pragma:no-cache on responses was treated as a mistaken form of Cache-Control:no-store." - I don't understand why your interest is only in 'beneficial' ... regardless, it's unclear what 'mistaken' actually means in this quote. It is likely that the 'mistake' would provide some benefit for some cases. – Rondo May 07 '15 at 05:24
  • @Rondo The point of the question is whether Pragma itself is needed, as OWASP asserts. Squid just treats it as an alias of Cache-Control, so Pragma isn't needed, since Cache-Control does the same thing. Does anything respond *only* to this misuse of Pragma? – brianary May 08 '15 at 04:18
  • I've no documentation of the specific 'mistake';but, I read the comments about it as being a wholly unique interpretation of no-store. And so, I gather, not anything covered by Cache-Control directives. I would expect something like that to be part of the commentary. I could be wrong of course. WRT effects, it would not be a nec. to describe the behavior of anything other than Squid since that is where the interpretation is made in this case. – Rondo May 09 '15 at 04:29
  • @Rondo The Squid site is pretty clear that the Pragma behavior is just an alias for Cache-Control: no-store, not unique. Not sure what you mean by "mistake". Only something other than Squid, since Squid is not a valid example, would be relevant to answer the question of whether any software responds only to Pragma. – brianary May 09 '15 at 04:38
  • For the 'mistake' refer to my quote above beginning 'Due to some old software...' What the documentation says about behavior now and what the software did in this case are different. If that current form of he software is you justification of disqualifying Squid behavior, then you have close the final door and succeeded in formulating a question to which you could not possibly get a affirmative answer. – Rondo May 10 '15 at 05:41
  • @Rondo I'm looking for examples of Pragma doing something unique. Without that, there is no reason to use it. What are you asserting that Pragma does in Squid, that cannot be done with Cache-Control? – brianary May 10 '15 at 06:35
  • As you respond, your focus is narrowing and your original intention is becoming clearer. You gave no time-frame limits: that is why I asked about current versions. Because if you are interested in behavior in older versions...perhaps because you might be interested in how software in the field might behave, then there is this unique Squid case, which, by virtue of it being a mistaken interpretation, cannot be the same as Cache-Control since the aim was to emulate Cache-Control. I don't care to find out what it might be. If it doesn't matter to you then we are done. – Rondo May 13 '15 at 03:32
  • @Rondo "cannot be the same as Cache-Control since the aim was to emulate Cache-Control"? Does this make sense? I didn't catch what behavior Squid's Pragma performs that cannot be achieved by Cache-Control. I thought "perpetuated as a superstition" was pretty a clear expression of what I was seeking. – brianary May 13 '15 at 03:45
  • Yes it makes sense. The behavior was aimed at emulating cache-control or no-cache. Someone interpreted incorrectly. Hence, the behavior *must be* different than cache-control; otherwise, it would not have been a mistaken interpretation, right? – Rondo May 14 '15 at 04:48
  • @Rondo No. They may have mis-implemented Cache-Control's no-cache directive as any one or combination of other Cache-Control directives, such as no-store, must-revalidate, private, public, &c. Do you have a link to the description? – brianary May 14 '15 at 05:22
  • Yes, but as I suggested, I think that would have been explicitly stated as how interpretation was incorrect. Again, so it appears to me a unique interpretation. There are no specifics given about the 'mistaken interpretation'. https://squidproxy.wordpress.com/2012/10/16/squid-3-2-pragma-cache-control-no-cache-versus-storage/ ... 3rd bullet in first list of section 'no-cache in Squid'. That's all I have, unless u still want to belabor that point. I have no aim other than to clarify it in the hope you are really after a solution to which that may be germane. Idgas about the bounty. – Rondo May 15 '15 at 20:11
  • @Rondo I guess I take "was treated as a mistaken form of Cache-Control" to mean that it mistakenly treated it as Cache-Control. Even if your interpretation is right, we'd need to get at least *some* detail to know whether it makes sense for OWASP (and others) to reflexively recommend it. Different is the first criterion, improved security is the second. I think we're well past belaboring, unfortunately. – brianary May 15 '15 at 20:59
  • "we'd need to get at least some detail" -- right. That would not be something I can help you with. You have the contact info. – Rondo May 16 '15 at 21:34

1 Answers1

5

Pragma is deprecated in favor of Cache-Control, but because of its common misuse as a response header there are clients and proxies who will interpret it as such.

Past squid versions are an example and starting with 3.2, Squid is advertising and attempting to fully support HTTP/1.1 specifications meaning pragma in a server response has no meaning whatsoever and will be ignored.

According to Microsoft KB234067, Internet Explorer 4.01 and 6.0 allow Pragma: no-cache in a secure HTTP response and a Pragma: no-cache meta tag via insecure response. Other browsers such as Firefox seem to have spotty support of it.

Note RFC2616 states:

Cache directives are unidirectional in that the presence of a directive in a request does not imply that the same directive is to be given in the response.

Note that HTTP/1.0 caches might not implement Cache-Control and might only implement Pragma: no-cache (see section 14.32).

phiz
  • 306
  • 1
  • 6
  • 1
    It looks like [IE4](https://books.google.com/books?id=QzndBAAAQBAJ&pg=PA501&lpg=PA501&dq=ie4+cache-control&source=bl&ots=IZN6-UVp4e&sig=b5iIsxqIhU49BuozIePfnjqeQpc&hl=en&sa=X&ei=t7E3Vc6jNM7ioATYkoHYBw&ved=0CCEQ6AEwAQ#v=onepage&q=ie4%20cache-control&f=false), [IE6](http://stackoverflow.com/a/43271/54323), and [pre-3.2 Squid](http://wiki.squid-cache.org/SquidFaq/InnerWorkings#How_come_some_objects_do_not_get_cached.3F) all supported Cache-Control though, so Pragma still wouldn't be necessary for them, or represent _distinct_ behavior. (I've added some clarification to the question.) – brianary Apr 22 '15 at 14:40
  • 1
    This shows the problem with the stupid auto-awarding bounty system. This does *not* answer the question of whether Pragma is necessary. I suspect those voting it up didn't fully read the question. – brianary May 04 '15 at 21:30