I explored a bit trying to find out why this module doesn't work for me.

The first issue I found was weak etags. The module does not support them.

The second was kind of astonishing for me cause I saw: return !! (etagMatches && notModified); at the end.

ETag and Last-Modified are two different mechanisms. If any of them is satisfied, the request cache is "fresh". Not both of them. So there must be return !! (etagMatches || notModified); unless you point out the sane reason :/

This module should support weak ETags properly :) I plan to make a PR at a later time, but wanted to file this to not forget/maybe someone else will do it first :)

Since this module is for conditional requests, it should do weak validations. Right now W/"1" doesn't correctly match "1" in weak validation.

HTTPbis has the official matching chart at: http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-26#section-2.3.2

Right now the signature is fresh(reqHeaders, resHeaders), which is of course nice for being agnostic, but slightly lame. I don't think we should remove this "agnostic-ness" per-se, but it would be nice to pass in IncomigMessage and OutgoingMessage objects so this lib can just handle weirdness like expressjs/express#2468

From #8 (comment) ; I don't know exactly how to document this yet, because this library is very low-level and does the base spec-compliant stuff.

hi，Why do you write this function like this? What's the difference between ascill and normal characters?

function parseTokenList (str) {
  var end = 0
  var list = []
  var start = 0

  // gather tokens
  for (var i = 0, len = str.length; i < len; i++) {
    switch (str.charCodeAt(i)) {
      case 0x20: /*   */
        if (start === end) {
          start = end = i + 1
        }
        break
      case 0x2c: /* , */
        list.push(str.substring(start, end))
        start = end = i + 1
        break
      default:
        end = i + 1
        break
    }
  }

  // final token
  list.push(str.substring(start, end))

  return list
}

emmmm,

str.replace(/\s/g,'').split(',');

From snyk.io, we have Regular Expression Denial of Service (ReDoS) on this package

TL;DR:

Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks. A Regular Expression (/ *, */) was used for parsing HTTP headers and take about 2 seconds matching time for 50k characters.

Please take a look and check, if true --> please fix it asap, because many packages are based on it

Source: https://snyk.io/vuln/npm:fresh:20170908

[12:13:53] Running server
/Users/.../node_modules/gulp-connect/node_modules/fresh/index.js:29
  var lastModified = res['last-modified'];
                        ^

TypeError: Cannot read property 'last-modified' of undefined
    at fresh (/Users/.../node_modules/gulp-connect/node_modules/fresh/index.js:29:25)
    at SendStream.isFresh (/Users/.../node_modules/gulp-connect/node_modules/send/index.js:372:10)
    at SendStream.send (/Users/.../node_modules/gulp-connect/node_modules/send/index.js:539:13)
    at onstat (/Users/.../node_modules/gulp-connect/node_modules/send/index.js:624:10)
    at FSReqWrap.oncomplete (fs.js:167:5)

gulp-connect setup:
connect.server({ livereload: false, root: config.getDir() + '/', fallback: config.getDir() + '/index.html', https: true, host: '0.0.0.0', });
Mostly happens when running with https:true and accessing the dev env from outside the network (I've opened a port to be forward from WLAN to my dev computer, for debugging). Anyway, only then this problem happened.

Fresh version: 0.3.0

Hi,
If a request contains both header cache-control: no-cache and a fresh etag, fresh will mark the request not fresh. I don't understand why. According to w3.org's explanation about no-cache: If the no-cache directive does not specify a field-name, then a cache MUST NOT use the response to satisfy a subsequent request without successful revalidation with the origin server. This directive only tells a proxy to revalidate with the server. It shouldn't be used by origin server to determine a cached content is stale, which is the job of etag and last modified timestamp header.

I encountered this problem when using IE XDomainRequest. IE added cache-control: no-cache automatically if previous response has header Cache-Control: max-age=0 and there is no way to disable the request header.

It appears that fresh has copy-pasted logic from send related to etag handling.

This commit should probably be copied in it's entirety over to fresh, right? :
pillarjs/send@aeb69c6

It does raise the question if it might be possible to package up in a more re-usable way since there is some overlap between parts of the internals of fresh (req, res) and send's isPreconditionFailure. Or perhaps they are just different enough to warrant the duplication.

Anyway, if you agree that this commit should be copied over from send happy to send a PR.

thanks for these 2 fantastic modules by the way! ❤️ I'm working on improving koa's range support and send, fresh have both been incredibly rich sources towards better compliance with rfc7233, rfc 7232

I think the latest change to look for max-age=0 in the request and decides if the cache is fresh or not, is not a valid assumptions.

the code I am talking about is in this line.

if (cc && (cc.indexOf('no-cache') !== -1 || cc.indexOf('max-age=0') !== -1)) return false;

The max-age=0 in the request is sent by the browser to validate if the cache information in the request is current or not. With this change the server will never return 304 for any request contains (max-age=0). The response will always return the content (200).

please read the meaning of max-age=0
from http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

14.9.4 Cache Revalidation and Reload Controls

Specific end-to-end revalidation
The request includes a "max-age=0" cache-control directive, which forces each cache along the path to the origin server to revalidate its own entry, if any, with the next cache or server. The initial request includes a cache-validating conditional with the client's current validator.

max-age
When an intermediate cache is forced, by means of a max-age=0 directive, to revalidate its own cache entry, and the client has supplied its own validator in the request, the supplied validator might differ from the validator currently stored with the cache entry. In this case, the cache MAY use either validator in making its own request without affecting semantic transparency.
However, the choice of validator might affect performance. The best approach is for the intermediate cache to use its own validator when making its request. If the server replies with 304 (Not Modified), then the cache can return its now validated copy to the client with a 200 (OK) response. If the server replies with a new entity and cache validator, however, the intermediate cache can compare the returned validator with the one provided in the client's request, using the strong comparison function. If the client's validator is equal to the origin server's, then the intermediate cache simply returns 304 (Not Modified). Otherwise, it returns the new entity with a 200 (OK) response.
If a request includes the no-cache directive, it SHOULD NOT include min-fresh, max-stale, or max-age.

Hello everyone, i have encountered an issue when using fresh in my web server based on express. I suspect that express automatically installed fresh. Here is the error:

TypeError: noneMatch.split is not a function
    at fresh (/server/web/main/node_modules/fresh/index.js:61:40)
    at IncomingMessage.fresh (/server/web/main/node_modules/express/lib/request.js:469:12)
    at ServerResponse.send (/server/web/main/node_modules/express/lib/response.js:196:10)
    at ServerResponse.json (/server/web/main/node_modules/express/lib/response.js:256:15)
    at ServerResponse.send (/server/web/main/node_modules/express/lib/response.js:158:21)
    at app.get (/server/web/main/main.js:23:6)
    at Layer.handle [as handle_request] (/server/web/main/node_modules/express/lib/router/layer.js:95:5)
    at next (/server/web/main/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/server/web/main/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/server/web/main/node_modules/express/lib/router/layer.js:95:5)

Does anyone know why this happens? I am behind an NGINX proxy, if that is important.

As stated in the MDN docs the no-cache directive is used indicate that the client has a copy in the cache but needs to validate it with each request. no-store on the other hand will disable all caches.

no-cache
Forces caches to submit the request to the origin server for validation before releasing a cached copy.

This means that fresh should give back true inconjuction with theses headers:
var reqHeaders = {
"if-none-match": "foo",
"cache-control" : "no-cache"
};

var resHeaders = {
"etag" : "foo"
};

correct me if I'm wrong;

According to the latest HTTP RFC,

A recipient MUST ignore If-Modified-Since if the request contains an If-None-Match header field; the condition in If-None-Match is considered to be a more accurate replacement for the condition in If-Modified-Since, and the two are only combined for the sake of interoperating with older intermediaries that might not implement If-None-Match.

fresh does not ignore If-Modified-Since, it returns false if the If-Modified-Since is before last-modified. I would expect it to return true immediately if If-None-Match matches the ETag header.