Skip to content

cache: unsafe-method invalidation does not invalidate Location / Content-Location URIs (RFC 9111 §4.4) #5509

Description

@jeswr

CacheHandler.onResponseStart deletes only the request URI's entry on a 2xx/3xx response to an
unsafe method (lib/handler/cache-handler.js:109-122). RFC 9111 §4.4 also says caches SHOULD
invalidate the URIs in the response's Location and Content-Location fields when they share
the request URI's origin — the classic POST /collection201 Location: /collection/123 flow
currently leaves a previously cached GET /collection/123 stale.

Repro: cache GET /target; POST /src returning Location: <origin>/target; GET /target
again → observed: served from cache (undici 8.7.0/main, Node 22); expected: refetched.

Fix sketch: in the invalidation branch, parse Location/Content-Location, same-origin check
against cacheKey.origin, and store.delete({origin, path, method: 'GET'}) for each (both
bundled stores key deletion on origin+path, so this is ~25-40 LOC + tests).


Found during an agent-assisted HTTP-caching review for @jeswr; every claim reproduced on undici 8.6.0 (repo) and 8.7.0 (npm) on Node 22.23.1. Fix PR to follow.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions