Re: CORS and 304 from Jonas Sicking on 2013-12-04 (public-webappsec@w3.org from December 2013)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 4 Dec 2013 03:08:19 -0800
To: Karl Dubost <karl@la-grange.net>
Cc: Odin Hørthe Omdal <odinho@opera.com>, Anne van Kesteren <annevk@annevk.nl>, Adam Barth <w3c@adambarth.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CA+c2ei--qVORpbyGgGaF+ZOoFC3y=NUnEfbvSO-pFUGXUqHMVw@mail.gmail.com>

On Dec 4, 2013 2:39 AM, "Karl Dubost" <karl@la-grange.net> wrote:
>
>
> Le 3 déc. 2013 à 22:26, Jonas Sicking <jonas@sicking.cc> a écrit :
> > I don't see why 304s should be different than other redirects from a
security point of view.
>
> What would be the security issue if the headers are not sent in the case
of 304?

Same as for other types of redirects.

If we follow a redirect without checking cors headers first, that leaks
information. Who knows if that information is sensitive or not.

> > So requiring headers seem like the right thing. Can't we just say that
that's the case for all redirects?
>
> I would love to see a survey of what servers are doing out of the box. It
seems Apache scraps them.

What do you mean "scraps them"? What headers are we talking about here,
response or request headers?

I think we must be talking past each other. Can someone provide a detailed
explanation of what the actual question is here.

/ Jonas

Received on Wednesday, 4 December 2013 11:08:46 UTC