Hacker News new | comments | show | ask | jobs | submit login
Chrome treats DELETE requests as GET and caches them (code.google.com)
108 points by eranation on July 30, 2012 | hide | past | web | favorite | 68 comments

Chrome's excessive caching is so broken for RESTful web services that I've just given up on letting it cache any requests from Javascript. It completely ignores Vary headers, too, so hitting the back button after an AJAX request to the same URL (but with a different content-type) as a visited page displays the AJAX response (e.g., JSON) instead of the page. Worse yet, it's been marked as WONTFIX.


I don't think it's really fair to brag that your browser is the fastest when it willfully breaches the HTTP spec just to appear better than the competition. Is Chrome really better than IE, from an intentions viewpoint?

Also worth noting that Chrome does (or at least, did) cache items even that it is explicitly told not to if they are CSS or JS which can be absolutely infuriating.

> Also worth noting that Chrome does (or at least, did) cache items even that it is explicitly told not to if they are CSS or JS which can be absolutely infuriating.

I've certainly noticed it breaking the "ctrl+f5 refreshes everything" convention in recent versions, which can be a pain when testing new code and may cause problems for users on the release of new code if you don;t vary filenames (or other parts of the request).

This is for script included using a simple <script> tag, not something that is loaded dynamically, so that isn't the cause.

The solution I've used is to either close and reopen Chrome (yep: close all windows and restart, Google is becoming the new Microsoft in this manner!) or load the script file in a different tab and hit ctrl+f5 there first (it obeys the refresh then, and updates the memory cache that other tabs are using too).

I may be mistaken, but I believe that Chrome uses ctrl+shift+R to refresh everything.

It's "Ctrl-Shift-R twice". Hit it, wait a few moments for the page to start reloading, then hit it again.

Otherwise it doesn't reload everything. Verify this by watching the Developer Console's Network section. I can only assume this is intentional; my coworkers told me this trick last year and it still seems to be the case.

From watching the developer tools network tab it looked like Chrome respects Ctrl+F5, but I've also had the nagging feeling that two refreshes are sometimes necessary, and I've made that a habit when testing changes. I thought I was just being silly though. Would a browser really ignore Ctrl+F5 in the name of speed? That doesn't seem logical to me.

You can turn off cache in developer tools, which has saved my sanity. Nothing else is consistent.

Even then I find Chrome still caches. I've gotten in the habit of doing cmnd-shift-delete, which takes you straight to the clear cache settings. Sadly the equivalent command in Windows (Ctrl-shift-delete) does not work.

I still feel Chrome is the best browser, but that's more to do with the lousy competition than Chrome's own quality as of late.

Try the new safari. I've been a Chrome user for quite some time, since the retine MBP I'm forced to use safari (for retina support). Since ML it has actually become quite pleasant I have to say. I don't see any clear advantages of chrome anymore in terms of functionality (I still like its interface better though).

The new Safari does look nice at initial glance. What worries me about it is WebGL is not enabled by default, and its JS engine is much slower than Chrome's. I mostly do WebGL game dev for my personal projects, and so I don't support Safari (since I can't expect people to have turned WebGL on).

It isn't? That's strange. Why would they do that, security reasons?

About JS performance: Might be important to you as a gamedev, but for the overwhelming majority of today's web apps this shouldn't be an issue anymore.

That being said, I will probably still switch back to chrome when they get retina support. The interface is just cleaner and it has more intuitive developer tools IMO (safari's are more powerful, but chrome's do have everything I need and are easier to navigate).

Chrome Canary has retina support if you want to get a sneak peak at it. The problem is Canary crashes OSX often.

Had this issue when developing a real-time dashboards but didn't use websockets, jQuery kindly provides an option that will attach a random number as a query parameter forcing Chrome to round trip.

Do you have issues when developing? I have spent hours diving in my code thinking something is up before realizing it's just Chrome caching thats ignoring my changes!

Yeah, I have issues with Chrome caching my JS template files as well... shift-refreshing the files themselves shows the changes, but it has no effect on ajax requests.

That's another annoying part of it for me -- or was, the last time I was doing web development a year and something ago. Getting Chrome to flush some of its caches can difficult / require "extreme" measures. (Favicons were amongst the most egregious hangers on, in what I was doing. Not a "big" problem, but very annoying.)

The Chrome developer tools have an option to turn of the cache, I never use it without that enabled. Or any other browser for that matter.

Yep, that's what I ended up doing.

Not surprising. The amount of aggressive caching that Chrome does to make the web "faster" is excessive, not to mention infuriating. Developing a web application and using Chrome is an exercise in anger management.

And then there's the bug in the dev channel where multiple assignment was just plain broken (bug report: http://code.google.com/p/chromium/issues/detail?id=136380)


    var foo = function() { /* foo function */ };
    var bar = function() { /* bar function */ };
    var baz = function() { /* baz function */ };
    var sup = function() { /* sup function */ };

    foo.test = bar.test = baz.test = sup;

    console.log(foo.test);  // shows bar, not sup

I don't think your anger about multiple assignment is valid.

I also use the Dev channel regularly, but I don't think it's fair to expect it to meet a high bar of quality. Typically issues are corrected within a few days.

> I don't think your anger about multiple assignment is valid.

He didn't express any anger about it, he just noted that it was broken. The anger he expresses is about Chrome's insanely aggressive caching (and every web dev I know agrees with that, even IE's caching was less over-the-top than Chrome's).

I'm taking his note on multiple assignment more as a supplementary piece of evidence re. Chrome's quality control: how can you break something as basic as multiple assignments and get that pushed to a build?

From the dev channel page[1]:

"While this build does get tested, it is still subject to bugs, as we want people to see what's new as soon as possible" and "Remember, Dev channel browsers and Canary builds may still crash frequently."

[1] http://www.chromium.org/getting-involved/dev-channel/

I know what the channel page says and what the dev channel is about, my issue is that multiple assignment is not a complex or advanced feature, which means either it's not tested or Chrome's devs don't even bother running any test suite before pushing changes.

What makes you think assignment is simple? V8 is a multi-stage, dynamically optimizing just-in-time compiler. That's complex and advanced, pretty much by definition.

As masklinn pointed out earlier, it's frustration with the lack of quality control rather than anger. While I'm certain that the multiple assignment bug will be fixed (if it isn't already, of course), I simply brought it out to illustrate a point: The Chrome(ium)? team needs to invest a bit more time in quality control, and less time on trying to make the web "faster" by taking shortcuts around well-established practices and specs.

I wouldn't be surprised if the multiple assignment bug was caused by some sort of speed-related optimization.

Why is this bad? for example if you have an Image you want to both DELETE and GET, and have cache control, once it's cached, the DELETE will return the bytes of the image without going to the server...

I'm not sure if you're trolling or not, so I'll assume naiveté and give you a thoughtful answer: Because the resource you tried to delete will not be deleted. To add insult to injury, from a UI perspective, it will still behave like it has been. This wrecks any ajax applications that cache GET requests.

Furthermore, it's in direct violation of the HTTP spec:

> If the request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries SHOULD be treated as stale. Responses to this method are not cacheable.



Why is he being downvoted?

As per RFC2119 (http://www.ietf.org/rfc/rfc2119.txt):

    3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
    may exist valid reasons in particular circumstances to ignore a
    particular item, but the full implications must be understood and
    carefully weighed before choosing a different course.

Because the problem goes beyond failing to invalidate the existing cache for the resource (which is a SHOULD), Chrome does not even make the request, which most definitely isn't acceptable under any circumstance, even after careful considerations. The spec even emphatically says that responses to a DELETE are not cacheable, how could you use an existing cached response as valid for a DELETE if you are not allowed to cache a delete in the first place?

Then there is a PERIOD, and it says "Responses to this method are not cacheable."

So caching DELETE is against the spec.

But returning already cached GET response to DELETE request is not.

I, however, agree that this behaviour shouldn't happen.

I believe the spec is saying that if you are a proxy, and you have a cached value for X, then you see a delete for X, you are allowed to immediately expire your entry for X. In other words, the proxy is permitted to assume that a delete request is so likely to result in a change on that resource that it may simply assume the cache is bad. It isn't required to, though.

It does not mean that if you receive a DELETE request you can just substitute the value of what is a completely different request (the GET request). I believe eloisius is not correct about the spec banning this behavior with that line. It's "banned" because it's just broken, nonsensical. It's not the same request in the first place, any more than you can just substitute POST results for GET.

Yes, but mailing a bicycle to a random US address as a response to the DELETE request is also not explicitly forbidden in the spec. This doesn't mean that the spec provides for commercial suicide through bicycle mail.

But returning already cached GET response to DELETE request is not.

Yes, you're right.. the spec doesn't mention what should happen when the developer does something completely irrational, like returning a cached GET response to a DELETE request.

I commented on my own post to explain why I think it's bad, sorry for not reading it aloud to myself, I can understand why you read it not the way I had it in my head :)

Should read my post as:

"Are you asking why this is bad? it is bad because..." and provided an example...

P.S. I like the Insult to injury quote, it's exactly how I felt when trying to debug it, took me an hour to figure that out...

I wonder why three people answered your question, not understanding that you

- submitted the link in the first place

- tried to provide an explanation why this is a bad idea (i.e. wrong)

and telling you that this behavior is, in fact, not according to the specs.

Communication failure? Maybe it would help to clarify your statement a bit?

Edit: Reading a third and forth time I'm becoming less certain that _I_ got your point and the others didn't (note to self: That shouldn't be the default assumption). Did you really ask why that is bad?

Edit 2: Looking at your username and the issue comments I kind of assume that you are the commenter over at code.google.com, calling this 'severe'. So I'm back to my original assumption that you know perfectly fine why this is bad.

The question "Why is this bad?" can be interpreted two ways: both as "Can someone please tell me why this is bad?" and "Why is this bad, you might be wondering? Let me tell you..." Ambiguities like this are sometimes amusing, such as when a reply saying "Love it!" can be read as both "[I] love it!" and the imperative command "[You must] love it!"

Yep, bad choice of English words from my side. not may native language... yep, I was trying to explain why it's bad, not asking why it is bad... :)

It's pretty subtle :) The closest way to do it is like this:

Why is this bad? Well, for example if you have an Image...

Just put the word "well," between the question and the explanation. I doubt they put that in a textbook though :)

thanks! next time I will... ;)

I think the point was being made on "why this is bad" and not that a question was being asked. ( almost definitely the severe comment in the group was made by the same person - http://digg.com/eranation)

Yep, bad choice of English from my end, not my native language I wish I could "edit" that and change the wording, but you got that right the first and 3rd time (Edit 2 is correct) :)

I read it as an "asked and answered" type comment.

I think RFC covers this:

From http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

Section "9.1.2 Idempotent Methods". "However, it is possible that a sequence of several requests is non- idempotent, even if all of the methods executed in that sequence are idempotent."

As well section "9.7 DELETE". The last sentence: Responses to this method are not cacheable.

The same in human language: there is no guarantee that you are deleting the same object because its ID matches. E.g. MD5 collisions are rare but they sometimes happen.

Yes, bad English from my end! Please read it as "Why this is Bad: ", and not "Why is this bad?"...

Thanks for all the ones who corrected me!

Because the HTTP 1.1 specification says it should behave differently, and developers expect clients to comply with the specification.

Sorry, I was commenting on my own post and wanted to provide an example for "why this is bad" and not ask "why is this bad" apparently, HN also teaches me English (not my native language)

So to clarify, the problem is that browser serves the cached copy of the response from the GET request to the user, meaning that the user will not see the possibly different response returned by the server for the DELETE request correct? I feel like I'm missing something here.

No, the browser doesn't actually send the DELETE in the first place..

Just to be clear (because I feel like I'm missing something here as well): the problem is if you allow a GET to be cached and then the client makes a DELETE request on that cached resource, Chrome applies the DELETE to the cached version and doesn't propagate the request to the server??

From the logs it seems to me it doesn't do a DELETE and sends a "GET (from cache)" type of request

By the way credit goes to Sebastian from blueimp.net (who wrote the excellent jQuery File Upload) for discovering and opening the bug initially.

Apparently your votes have helped, see official comment http://code.google.com/p/chromium/issues/detail?id=136320#c8

Priority was bumped

I can only see 1,2,9-14. What was written in comment 8 and why did they hide it?

Comment 4 on the bug report cracked me up:

"Obviously, google doesn't believe in deleting data."

No it is not funny. The comments section on an issue is not a place for jokes or otherwise unhelpful comments. It is not twitter or a comments section on a blog.

Everyone on that list gets pinged whenever there is an update. This is the place to fix the bug. People should not see every single input box as an invitation to demonstrate their wit.

This is one reason I tend to cringe when I see direct links to bug reports on social-media sites (like this one). Tends to end up with "angry user" posts filling up the comment thread.

It's good that they are pinged. Maybe they be annoyed enough to fix it.

Right, the best way to get a bug fixed is to annoy the people who might fix it for you.

It also 'pings' everyone who starred/subscribed to the issue out of interest - very not cool

It's the reason I don't star issues any more. The number of "me too!" comments is out of hand.

Aahhhaaa that's why it behaves strange when you click the back button on ExtJS documentation! Instead of the previous page I see JavaScript codes. But yeah yeah Gogole knows what he is doing, for sure!

I wasn't even aware that browsers could use request methods other than GET and POST.


You can use other request methods with XMLHttpRequest. Apparently HTML5 allowed forms with PUT and DELETE for a while but this was removed from the spec.

And the update to fix this will be pushed in 3... 2... 1...

Update - a fix patch was created

Update: this was fixed!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact