So far, I've fixed http://trac.webkit.org/changeset/108576, which was allowing CachedResource re-use when the two requests' Range headers weren't identical. There are other, similar cases, where headers need to be the same (e.g., "Authorization" was recently pointed out to me). I'm debating whether to continue the whack-a-mole game of finding and fixing these headers that need to match to be cahceable. The alternative is to switch to requiring all headers to match except for a whitelist (e.g., I'm pretty sure we still want a cache hit even if the referrers don't match). Thoughts are appreciated.