W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

CORS and 304

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 25 Nov 2013 16:34:20 +0000
Message-ID: <CADnb78iip9BUbKZRPkCeZnsG92KQRD8nfJtCn8iBXTjBwe7rWA@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Karl Dubost <karl@la-grange.net>, Odin Omdal Hørthe <odinho@opera.com>, Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>
Karl discovered a bug in the CORS protocol. We do not specify what
happens for a 304 response that does not have CORS headers. If we
follow the logic from redirects, we ought to require CORS headers in
that scenario.

Firefox does this. Chrome does not.

I want to nail this down in the 304 bit of
http://fetch.spec.whatwg.org/ at some point. I thought I'd raise it
here to see what people think.


-- 
http://annevankesteren.nl/
Received on Monday, 25 November 2013 16:34:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 25 November 2013 16:34:52 UTC