Should HTTP 304 Not Modified-responses contain cache-control headers?

Question

I've tried to understand this, and searched SO for similar questions, but I still don't have a 100% understanding on how this is supposed to work.

I get this response on a request for an image resource:

Response Headers     Server  Apache-Coyote/1.1     Date    Mon, 19 Oct 2009 09:04:04 GMT     Expires Mon, 19 Oct 2009 09:06:05 GMT     Cache-Control   public, max-age=120     Etag    image_a70703fb393a60b6da346c112715a0abd54a3236     Content-Disposition inline;filename="binary-216-420"     Content-Type    image/jpg;charset=UTF-8     Content-Length  4719 

The desired behavior is that the client should cache this for 120 seconds, then request it from the server again. Within the 120 seconds, no request is sent to the server.

Then, after 120 seconds, a request is sent and a 304 response is received:

Response Headers     Server  Apache-Coyote/1.1     Date    Mon, 19 Oct 2009 09:06:13 GMT  Request Headers     Host    localhost:8080     User-Agent  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3     Accept  image/png,image/*;q=0.8,*/*;q=0.5     Accept-Language en-us,no;q=0.8,sq;q=0.7,en;q=0.5,sv;q=0.3,nn;q=0.2     Accept-Encoding gzip,deflate     Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7     Keep-Alive  300     Connection  keep-alive     Referer http://localhost:8080/cms/site/0/en/home     Cookie  JSESSIONID=768ABBE1A3BFABE3B535900233330650; versionsCssDisplayState=block; iceInfo=iceOn:false,activePortletKey:,icePagePanelX:1722,icePagePanelY:3     If-None-Match   image_a70703fb393a60b6da346c112715a0abd54a3236 

So far, all well. But then, on the next request (whithin 120 seconds) i would have thought that the resource should be cached for 120 new seconds. What i see in the browser (Firefox) on the other hand, is that it from this point on always request the resource and receives the 304-response.

Am I supposed to attach the cache-control headers in the 304-response? From what i can read in the spec, it seems like the cache-control settings should be omitted, and that the cache should cache it for 120 new seconds automatically?

Answer 1

RFC7232 updates RFC2616 to say:

The server generating a 304 response MUST generate any of the following header fields that would have been sent in a 200 (OK) response to the same request: Cache-Control, Content-Location, Date, ETag, Expires, and Vary.

Answer 2

In theory you shouldn't have to send Cache-Control for a 304 -- the recipient should just continue to use the cache directives that it received from the original 200. However, as you've found, in practice if you don't keep sending Cache-Control, browsers will ignore the cache directives that you sent originally, and revert to their own default heuristics.

So in practice, you should include the same Cache-Control with a 304 that you would with a 200. The spec only mandates that you send it for a 304 if it's different than what you sent previously (see 10.3.5 304 Not Modified) -- but it certainly doesn't forbid you from repeating it when it's the same.

And to respond specifically to the wrong-headed points from the other answer (Structure's):

1. You do want intermediary caches to cache the response (that is, update their cache entry for the resource). They will respond appropriately to requests from clients with a 200 or a 304, depending on whether the client included a conditional header like If-Modified-Since.

2. The 120-second ttl will be refreshed by the 304 (so the same client shouldn't make another request for the same resource for at least another 120 seconds). And clients, as long as they've still got the content cached, will continue to make conditional requests for the resource, which you can continue to respond to with a 304.