Pragma no-cache

For technical support for all editions of CSS HTML Validator. Includes bug reports.
Post Reply
User avatar
RSteinwand
Rank VI - Professional
Rank VI - Professional
Posts: 573
Joined: Mon Jun 09, 2008 2:12 pm
Location: Fargo, ND
Contact:

Pragma no-cache

Post by RSteinwand » Thu Apr 20, 2017 9:49 am

Hi Albert,

A PCI audit a few years ago (before HTML5) recommended we add this:

Code: Select all

<meta http-equiv="pragma" content="no-cache"><meta http-equiv="cache-control" content="no-store,no-cache">
... yet CSE complains and calls it an error.
The "pragma" pragma directive specified by the "http-equiv" attribute is not recognized. Consider removing this tag. Visit https://www.w3.org/TR/html5/document-me ... directives and https://wiki.whatwg.org/wiki/PragmaExtensions for more information.

The "cache-control" pragma directive is not allowed and not used in HTML5. Furthermore, placing caching instructions into meta tags is not recommended because proxies may not handle them. Instead, use real HTTP headers to send caching instructions.
Wikipedia lists both as valid: https://en.wikipedia.org/wiki/List_of_H ... der_fields

This thread throws a little more light on the subject: http://stackoverflow.com/questions/1031 ... ol-headers
Pragma is the HTTP/1.0 implementation and cache-control is the HTTP/1.1 implementation of the same concept. They both are meant to prevent the client from caching the response. Older clients may not support HTTP/1.1 which is why that header is still in use.
Since requiring TLS 1.2 for all secure hits, I doubt we'd have too many "older clients" since IE9 isn't even allowed and all secure hits return HTTP/1.1.

No doubt using headers for all secure pages would be the best route and I'll have to see if I can add it to our web application and see if it works to simply add a no-cache header without removing existing headers. I wouldn't be surprised if a scan would suggest re-adding it.

What's your impression?
Rick

User avatar
Albert Wiersch
Site Admin
Site Admin
Posts: 3242
Joined: Sat Dec 11, 2004 9:23 am
Location: Near Dallas, TX
Contact:

Re: Pragma no-cache

Post by Albert Wiersch » Thu Apr 20, 2017 3:57 pm

Hi Rick,

The Wikipedia article is talking about HTTP header fields and not meta tags in HTML.

Also, CSE HTML Validator should generate warnings, not errors, about those meta tags (unless you've changed it from the default). Is CSE HTML Validator really generating error messages for those meta tags (instead of warnings)?

I can't find anywhere that says those meta tags are "good" HTML so I think the warnings are justified for those meta tags.

If you don't want those warning generated then the easiest thing to do would be to disable those messages via exact text match. Actually, you could disable the one for "cache-control" by message ID and it would affect only cache-control. The message for "pragma", if disabled by message ID, would affect both "pragma" and values other than "pragma" so I would use exact text match for the "pragma" message. NOTE: In the next update the message for "pragma" should have a unique ID (2017042002) so it would be OK to disable it by message ID then (but not now).

Does this seem reasonable?
Image
Albert Wiersch

User avatar
RSteinwand
Rank VI - Professional
Rank VI - Professional
Posts: 573
Joined: Mon Jun 09, 2008 2:12 pm
Location: Fargo, ND
Contact:

Re: Pragma no-cache

Post by RSteinwand » Fri May 19, 2017 12:52 pm

Sounds good.

Thanks Albert.
Rick

Post Reply