W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: CORS and 304

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 3 Dec 2013 19:26:50 -0800
Message-ID: <CA+c2ei-Wmr9Crnkkt+jPo605EzgyZYtqYRoNE38a3GasGZvYFA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Odin Omdal HÝrthe <odinho@opera.com>, Karl Dubost <karl@la-grange.net>, WebAppSec WG <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>
I don't see why 304s should be different than other redirects from a
security point of view.

So requiring headers seem like the right thing. Can't we just say that
that's the case for all redirects?

/ Jonas
On Nov 25, 2013 8:34 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

> Karl discovered a bug in the CORS protocol. We do not specify what
> happens for a 304 response that does not have CORS headers. If we
> follow the logic from redirects, we ought to require CORS headers in
> that scenario.
> Firefox does this. Chrome does not.
> I want to nail this down in the 304 bit of
> http://fetch.spec.whatwg.org/ at some point. I thought I'd raise it
> here to see what people think.
> --
> http://annevankesteren.nl/
Received on Wednesday, 4 December 2013 03:27:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC