W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: CORS and 304

From: Karl Dubost <karl@la-grange.net>
Date: Wed, 4 Dec 2013 05:39:01 -0500
Cc: Anne van Kesteren <annevk@annevk.nl>, Odin Omdal Hørthe <odinho@opera.com>, WebAppSec WG <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>
Message-Id: <C38D247C-9138-4AF0-B777-86F75D66C79D@la-grange.net>
To: Jonas Sicking <jonas@sicking.cc>

Le 3 déc. 2013 à 22:26, Jonas Sicking <jonas@sicking.cc> a écrit :
> I don't see why 304s should be different than other redirects from a security point of view.

What would be the security issue if the headers are not sent in the case of 304?

> So requiring headers seem like the right thing. Can't we just say that that's the case for all redirects?

I would love to see a survey of what servers are doing out of the box. It seems Apache scraps them. IIS? nginx? Knowing that would be a good thing for accessing how much difficult it will be to evangelize and it that would create a Web compatibility issues (with a lot of contacts ;) ).

Sincerely I don't know yet if it's a frequent issue, but I would love to have an idea about it.

Karl Dubost
Received on Wednesday, 4 December 2013 10:39:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC