I don't see why 304s should be different than other redirects from a
security point of view.
So requiring headers seem like the right thing. Can't we just say that
that's the case for all redirects?
/ Jonas
On Nov 25, 2013 8:34 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
> Karl discovered a bug in the CORS protocol. We do not specify what
> happens for a 304 response that does not have CORS headers. If we
> follow the logic from redirects, we ought to require CORS headers in
> that scenario.
>
> Firefox does this. Chrome does not.
>
> I want to nail this down in the 304 bit of
> http://fetch.spec.whatwg.org/ at some point. I thought I'd raise it
> here to see what people think.
>
>
> --
> http://annevankesteren.nl/
>