[
https://issues.apache.org/jira/browse/OFBIZ-6766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16480660#comment-16480660 ]
Jacques Le Roux commented on OFBIZ-6766:
----------------------------------------
Reading
https://www.fastly.com/blog/headers-we-dont-want
and then checking at
https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Cache-Controlhttps://stackoverflow.com/questions/34663916/are-cache-control-pre-check-and-post-check-headers-still-supported-by-iehttps://blogs.msdn.microsoft.com/ieinternals/2009/07/20/internet-explorers-cache-control-extensions/I see that we can update our headers:
* Expires: Fastly recommends to remove but Mozilla is more concervative: keeping
* Pragma: same
* Cache-Control: same + adding private
* Cache-Control post-check and pre-check: according to Stackoverflow and especially Microsoft, removing
* x-frame-options: see my comment in user ML at
https://markmail.org/message/hcw7du22vqcbe4oo TL;DR better to use a CSP policy
* x-ua-compatible: it's only in html files. I think it's more history and cargo cult, but I'll though ask on dev ML
* others: we are not concerned :)
I have attached the OFBIZ-6766-UtilHttp.java.patch and will ask about x-ua-compatible on dev ML before committing
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Locked
