W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

Re: CORS and 304

From: Karl Dubost <karl@la-grange.net>
Date: Mon, 25 Nov 2013 11:49:00 -0500
Cc: WebAppSec WG <public-webappsec@w3.org>, Odin Omdal Hørthe <odinho@opera.com>, Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>
Message-Id: <785DF35F-8A15-4453-9AAC-0E138B9AE831@la-grange.net>
To: Anne van Kesteren <annevk@annevk.nl>

Le 25 nov. 2013 à 11:34, Anne van Kesteren <annevk@annevk.nl> a écrit :
> Karl discovered

s/discovered/transmitted the message/. Clochix (from French Web dev communtity) pointed out the issue this morning.

> a bug in the CORS protocol. We do not specify what
> happens for a 304 response that does not have CORS headers. If we
> follow the logic from redirects, we ought to require CORS headers in
> that scenario.

To note Apache strips out the CORS headers

The HTTP 1.1 Spec says it can

> Firefox does this. Chrome does not.
> I want to nail this down in the 304 bit of
> http://fetch.spec.whatwg.org/ at some point. I thought I'd raise it
> here to see what people think.

Thanks Anne.

Karl Dubost
Received on Monday, 25 November 2013 16:49:34 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 13:26:34 UTC