Re: CORS and 304 from Jonas Sicking on 2013-12-04 (public-webappsec@w3.org from December 2013)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 4 Dec 2013 03:38:19 -0800
To: Karl Dubost <karl@la-grange.net>
Cc: Anne van Kesteren <annevk@annevk.nl>, Odin Hørthe Omdal <odinho@opera.com>, WebAppSec WG <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <CA+c2ei9eVmiuGACh_k7R-vP6FX7E-m6Xiv26ebMoBKETfjm+7A@mail.gmail.com>

On Dec 4, 2013 3:27 AM, "Karl Dubost" <karl@la-grange.net> wrote:
>
>
> Le 4 déc. 2013 à 06:08, Jonas Sicking <jonas@sicking.cc> a écrit :
> > What do you mean "scraps them"? What headers are we talking about here,
response or request headers?
>
> response headers. :)

So you mean that if a CGI does a 304 redirect and sends some response
headers and a response body, then apache will filter out the headers but
send the 304 and the body? Is this specific to 304s?

Either way, a security issue can't be ignored because servers suck. We
should still require the headers to be sent. Authors can always use other
30x responses.

/ Jonas

Received on Wednesday, 4 December 2013 11:38:46 UTC