Re: CORS and 304

On Dec 4, 2013 2:39 AM, "Karl Dubost" <> wrote:
> Le 3 déc. 2013 à 22:26, Jonas Sicking <> a écrit :
> > I don't see why 304s should be different than other redirects from a
security point of view.
> What would be the security issue if the headers are not sent in the case
of 304?

Same as for other types of redirects.

If we follow a redirect without checking cors headers first, that leaks
information. Who knows if that information is sensitive or not.

> > So requiring headers seem like the right thing. Can't we just say that
that's the case for all redirects?
> I would love to see a survey of what servers are doing out of the box. It
seems Apache scraps them.

What do you mean "scraps them"? What headers are we talking about here,
response or request headers?

I think we must be talking past each other. Can someone provide a detailed
explanation of what the actual question is here.

/ Jonas

Received on Wednesday, 4 December 2013 11:08:46 UTC