The HTTPbis spec says that headers can/should be repeated if they are
relevant to caching. Since the Access-Control-... headers influence client
caching behavior (although at a level slightly above HTTP, in a manner that
does impact whether cached data is valid for a given request) perhaps we
should recommend that they be resent even with 304?
On Tue, Dec 3, 2013 at 7:26 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> I don't see why 304s should be different than other redirects from a
> security point of view.
>
> So requiring headers seem like the right thing. Can't we just say that
> that's the case for all redirects?
>
> / Jonas
> On Nov 25, 2013 8:34 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>
>> Karl discovered a bug in the CORS protocol. We do not specify what
>> happens for a 304 response that does not have CORS headers. If we
>> follow the logic from redirects, we ought to require CORS headers in
>> that scenario.
>>
>> Firefox does this. Chrome does not.
>>
>> I want to nail this down in the 304 bit of
>> http://fetch.spec.whatwg.org/ at some point. I thought I'd raise it
>> here to see what people think.
>>
>>
>> --
>> http://annevankesteren.nl/
>>
>