Re: CORS and 304

Le 3 déc. 2013 à 22:26, Jonas Sicking <jonas@sicking.cc> a écrit :
> I don't see why 304s should be different than other redirects from a security point of view.

What would be the security issue if the headers are not sent in the case of 304?


> So requiring headers seem like the right thing. Can't we just say that that's the case for all redirects?

I would love to see a survey of what servers are doing out of the box. It seems Apache scraps them. IIS? nginx? Knowing that would be a good thing for accessing how much difficult it will be to evangelize and it that would create a Web compatibility issues (with a lot of contacts ;) ).

Sincerely I don't know yet if it's a frequent issue, but I would love to have an idea about it.

-- 
Karl Dubost
http://www.la-grange.net/karl/

Received on Wednesday, 4 December 2013 10:39:37 UTC