W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: CORS and 304

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 04 Dec 2013 09:18:35 -0500
Message-ID: <529F39BB.6020403@mit.edu>
To: public-webappsec@w3.org
On 12/4/13 6:08 AM, Jonas Sicking wrote:
> Same as for other types of redirects.
>
> If we follow a redirect without checking cors headers first, that leaks
> information. Who knows if that information is sensitive or not.

304 is only sort of a redirect.  At best it's a redirect-to-cache.  It 
just says "use your cached version; the resource hasn't changed".

-Boris
Received on Wednesday, 4 December 2013 14:19:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC