Handling duplicate directives (part II)

[mnot]

4.2.1 says:

When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale.

What about multiple no-store?

[mnot]

I think the right approach here is to require adherence to the most restrictive directive received, but I want to write some more tests first.

[mnot]

OK, the results are mixed.

In a nutshell:

• No implementation follows the more conservative max-age when multiple are received, either on the same line or separate lines
• If the max-age directives occur on the same line, most implementations (except Firefox and Apache) prefer the first occurrence.
• If the max-age directives occur on separate lines, the behaviour is about the same, except that nginx flips and prefers the second line.

OTOH most implementations do honour a stricter directive (e.g., no-store or no-cache in the presence of more liberal ones like max-age; the only exceptions there are nuster (a new implementation) and Fastly (this is a known issue).

So it seems like the most interoperable thing to do would be to document that when a directive with an argument (like max-age) appears, the first occurrence should take precedence; however, conflicting directives (like max-age and no-store) should defer to the strictest.