W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

Re: CORS and 304

From: Karl Dubost <karl@la-grange.net>
Date: Mon, 25 Nov 2013 11:49:00 -0500
Cc: WebAppSec WG <public-webappsec@w3.org>, Odin Omdal HÝrthe <odinho@opera.com>, Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>
Message-Id: <785DF35F-8A15-4453-9AAC-0E138B9AE831@la-grange.net>
To: Anne van Kesteren <annevk@annevk.nl>

Le 25 nov. 2013 ŗ 11:34, Anne van Kesteren <annevk@annevk.nl> a ťcrit :
> Karl discovered

s/discovered/transmitted the message/. Clochix (from French Web dev communtity) pointed out the issue this morning.

> a bug in the CORS protocol. We do not specify what
> happens for a 304 response that does not have CORS headers. If we
> follow the logic from redirects, we ought to require CORS headers in
> that scenario.

To note Apache strips out the CORS headers
https://issues.apache.org/bugzilla/show_bug.cgi?id=51223

The HTTP 1.1 Spec says it can
http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-25#section-4.1


> Firefox does this. Chrome does not.
> 
> I want to nail this down in the 304 bit of
> http://fetch.spec.whatwg.org/ at some point. I thought I'd raise it
> here to see what people think.


Thanks Anne.

-- 
Karl Dubost
http://www.la-grange.net/karl/
Received on Monday, 25 November 2013 16:49:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 25 November 2013 16:49:34 UTC