Cache-Control: no-transform redundant w/ TLS?
#185
Comments
|
Good catch. (Also: https://csswizardry.com/2019/03/cache-control-for-civilians/#no-transform) |
Everyone seems to agree with that statement! If it is still useful? H5BP doesn't default to TLS configs (which is debatable), but today more than not - developers use TLS for their websites. Which renders |
|
Side note: if we keep it, the rfc link needs to be updated to https://tools.ietf.org/html/rfc7234#section-5.2.1.6 |
|
I don't have an opinion myself since I only use HTTPS in all my projects. |
|
Same for me. I think we can consider dropping it. |
LeoColomb
changed the title
cache-control: no-transform redundant w/ TLS?Cache-Control: no-transform redundant w/ TLS?
Obsoleted with secure servers See h5bp/server-configs-apache#185
|
While I'm not advocating reverting this change, I wanted to point out that Google's Lite Mode (previously known as Data Saver) does work on https, and does respect Reference: https://venturebeat.com/2019/04/23/google-kills-chrome-data-saver-extension/ |
|
Thanks for the information @markwoon. The IETF RFC 7230, section 5.7.2 on transformations refers to proxies only, and the articles I listed to initially all refers to "proxies cannot modify payloads over HTTPS". However, in comment 8 in https://bugs.chromium.org/p/chromium/issues/detail?id=941948#c8 clarifies: This certainly favors keeping https://github.com/h5bp/server-configs-apache/blob/master/src/web_performance/content_transformation.conf as is. Currently, the snippet applies to all content, while the Google Bot only looks for From what I've read, these transformations may apply to any website really. Not only slow websites, but rather wether the user is on a slow client or not. If you have a Google account, you can use the Transcoder test tool or visit googleweblight.com with your url in the Useful articles: |
Changes motivated by h5bp#185
|
Thanks for these extensive review guys! Although I personally am not in favor of using these kind of weird tools, I don't feel confortable advocating against data savers & co usage. The scenario is very different from the original arguments focusing advertisements or trackers addition. |
|
I'm going to abstain from what the default should be. I'm on slow connections often enough to know how painful that can be, but I also hate debugging caching problems. I do vote for this getting documented. People should decide for themselves how they want their site to behave. |
While I agree that data saving is important (in fact I proposed a CSS media query allowing developers to serve lighter content based on that preference) I think developers should be wary of the fact that their content may be modified unless having opted out from it, since these transformations may disable scripts, styles and even form submissions.
No not promoting it, but more so what @markwoon said. Until yesterday I had no idea my content was subject to transcoding. But I agree, in most cases content transformation (certainly under Google's Web Light heuristics, e.g.: user is on a 2G connection, Google Bot finds the page will take more than 5 seconds to load) will be useful and developers should be careful opting-out. |
👍
That's my main concern. 😉 |
…#191) * Update link to RFC, add mentions of Lite Mode Changes motivated by #185 * Refactor desc., highlight caution for disabling I added that we're using `cache-control: no-transform` in the introductory paragraph because that is what we link to below that paragraph. Can remove if redundant, but added for clarity. Also, IMO we should still separate the warnings "(!)" about considering the impact of disabling content transformations and "If you are using `mod_pagespeed`" because the majority of developers probably aren't using `mod_pagespeed` and so if you aren't using it, it's simple to distinguish.
This partially reverts commit 282d979 Ref h5bp/server-configs-apache#185
This reverts commit eb60bf6 Ref: h5bp/server-configs-apache#185
Is
cache-control: no-transformredundant over HTTPS?https://meta.discourse.org/t/add-cache-control-no-transform-http-header/25152/3
https://isc.sans.edu/forums/diary/The+Security+Impact+of+HTTP+Caching+Headers/17033/
As suggested by some folks in their articles, "payload transformations" aren't possible over HTTPS. This sounds logical, but I am unsuccessful in confirming this.
In https://tools.ietf.org/html/rfc7234#section-5.2.1.6 I'm unable to traverse up to find information on payload transformation in relation to the HTTP/HTTPS protocol.
If it is the case that
no-transformis redundant over HTTPS, then this:server-configs-apache/src/web_performance/content_transformation.conf
Line 21 in e12ae05
Could be (or only/and with a note stating no need to use if HTTPS?):
The text was updated successfully, but these errors were encountered: