[breaking] respect cache-control max-age on the client

[dummdidumm]

...for initially fetched responses
Closes #4625
The proposed etag logic is not implemented because it sounds too complex and would add needless code for 99% of users

This is a breaking change insofar that people could have relied on the old behavior somehow

I implemented this after consulting the MDN docs and concluding that only the max-age and age headers are relevant for us in this case.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

[changeset-bot]

🦋 Changeset detected

Latest commit: 748ddee

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Rich-Harris]

I think we can simplify the client-side logic a bit by doing more work on the server (i.e. adding a data-ttl attribute). Though in the process of looking into that I realised that we need to spruce up the serialization logic (e.g. it's sending validation_errors twice, once in the hydrate object and once as a <script>), so I'm going to do that in a separate PR first

[Rich-Harris]

So this is interesting (and by 'interesting' I mean 'very annoying') — Chrome respects max-age and doesn't refetch until the resource is stale, but Firefox and Safari don't:

Screen.Recording.2022-08-31.at.3.36.59.PM.mov

Which means that if we do this, we'll arguably be broken in Firefox and Safari.

Thoughts?

[dummdidumm]

What the ... why don't they do that? Isn't that the most important part of the cache header?

[Rich-Harris]

yeah, idk. very surprising to have different behaviour between browsers for something this fundamental

[Rich-Harris]

Huh, I guess there's something else going on here. If I create this Node server...

import { createServer } from 'http';

createServer((req, res) => {
  if (req.url === '/') {
    res.writeHead(200, { 'Content-Type': 'text/html' });
    res.end(`
      <!DOCTYPE html>
      <body>
        <h1>${new Date().toString()}</h1>
        <button>update</button>
        <script>
          document.querySelector('button').addEventListener('click', async () => {
            const res = await fetch('/time');
            document.querySelector('h1').innerText = await res.text();
          });
        </script>
      </body>
    `);
  } else if (req.url === '/time') {
    res.writeHead(200, {
      'cache-control': 'max-age=5'
    });
    res.end(new Date().toString());
  } else {
    res.writeHead(404);
    res.end('not found');
  }
}).listen(3000);

...then all three browsers behave the same way (i.e. respecting the cache header).

[Conduitry]

I dunno why this happened again. Are you aborting tests midway and then committing temporary files? Should we add a gitignore for these to be safe?

[Conduitry]

Oh, you deleted it in a later commit. Still, what's creating these?

[Rich-Harris]

that's probably where they're coming from, yeah

[Rich-Harris]

Ok, digging deeper: it seems that browsers invalidate the cache for a given URL when you POST to it, which seems like reasonable behaviour. I think this wasn't happening before in Chrome because the response was a 500 (because the +server.js#POST didn't return a Response). Now that that's fixed, the behaviour is the same across browsers.

But it means that our behaviour is wrong — we also need to invalidate the cache if a non-GET request is made. It also means we'll need to split the test between two URLs

[Rich-Harris]

Just realised this probably shouldn't apply during prerendering

[Conduitry]

... I'm not sure what should happen during prerendering. Do we want to permanently cache the responses from endpoints? If we're going to request them the second and later times we visit a page, why not the first time? I know there was an issue floating around about being able to prerender endpoints, and I don't know how that interacts with this.

[Rich-Harris]

Endpoints are prerendered, unless they're marked as unprerenderable, in which case prerendering fails. So a prerendered page wouldn't be able to benefit from the cache-control header on the data, but also the data wouldn't require recomputing anyway.

I don't think it makes sense to change this (i.e. allow a page to be prerendered without its data also being prerendered) because if the data can become stale between deploys, you shouldn't be prerendering the page in the first place.

[Rich-Harris]

Do we want to permanently cache the responses from endpoints? If we're going to request them the second and later times we visit a page, why not the first time?

The trick would be knowing when to invalidate it (i.e. when a deploy happened). I tend to think this is best left to CDNs — a 304 is better than a stale 200 from cache.