W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: CORS and 304

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 4 Dec 2013 03:08:19 -0800
Message-ID: <CA+c2ei--qVORpbyGgGaF+ZOoFC3y=NUnEfbvSO-pFUGXUqHMVw@mail.gmail.com>
To: Karl Dubost <karl@la-grange.net>
Cc: Odin Hørthe Omdal <odinho@opera.com>, Anne van Kesteren <annevk@annevk.nl>, Adam Barth <w3c@adambarth.com>, WebAppSec WG <public-webappsec@w3.org>
On Dec 4, 2013 2:39 AM, "Karl Dubost" <karl@la-grange.net> wrote:
>
>
> Le 3 déc. 2013 à 22:26, Jonas Sicking <jonas@sicking.cc> a écrit :
> > I don't see why 304s should be different than other redirects from a
security point of view.
>
> What would be the security issue if the headers are not sent in the case
of 304?

Same as for other types of redirects.

If we follow a redirect without checking cors headers first, that leaks
information. Who knows if that information is sensitive or not.

> > So requiring headers seem like the right thing. Can't we just say that
that's the case for all redirects?
>
> I would love to see a survey of what servers are doing out of the box. It
seems Apache scraps them.

What do you mean "scraps them"? What headers are we talking about here,
response or request headers?

I think we must be talking past each other. Can someone provide a detailed
explanation of what the actual question is here.

/ Jonas
Received on Wednesday, 4 December 2013 11:08:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC