Token server design - RFC

Hanno Schlichting hschlichting at
Fri Jan 13 07:36:46 PST 2012

On 13.01.2012, at 09:04 , Richard Newman wrote:
>> I pretend our web services are completely different from a website 
>> because the target clients are *custom* clients that are implementing 
>> the protocol we defined, not a random HTTP client out there that makes 
>> assumptions on what we provide by reading the HTTP spec.
> That's not nearly so true as we would like it to be. Our clients are uniformly implemented on top of HTTP clients (in necko and Android), and *those* are designed to work with HTTP. If we put our heads in the sand and say "la la, we didn't say HTTP, so you made a bad assumption!" we're just fooling ourselves.

Do most of our API's use HTTP or HTTPS?

At least as far as browsers are concerned, the rules for caching of HTTPS content aren't really well defined but tend to be on the "don't cache" side by default.

That's not to say we should rely on HTTPS not being cached, but it might explain why there's not been many bug reports about this.


More information about the Services-dev mailing list