W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: CORS and 304

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 4 Dec 2013 12:15:35 +0000
Message-ID: <CADnb78h4+bCWO2pJvy7o-7P2gufbRo9xY0kfa=KtVc5aYXHgvg@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>, Mark Nottingham <mnot@mnot.net>, Julian Reschke <julian.reschke@gmx.de>
Cc: Karl Dubost <karl@la-grange.net>, Odin Hørthe Omdal <odinho@opera.com>, WebAppSec WG <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>
On Wed, Dec 4, 2013 at 11:38 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> So you mean that if a CGI does a 304 redirect and sends some response
> headers and a response body, then apache will filter out the headers but
> send the 304 and the body? Is this specific to 304s?

304 is not strictly a redirect. 304 is "Not Modified". An indication
from the server that you can use the cached copy.

> Either way, a security issue can't be ignored because servers suck. We
> should still require the headers to be sent. Authors can always use other
> 30x responses.

Not for these semantics.

Mark, Julian, do you think CORS headers should be required on a 304 response?

Received on Wednesday, 4 December 2013 12:16:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC