- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 04 Dec 2013 09:18:35 -0500
- To: public-webappsec@w3.org
On 12/4/13 6:08 AM, Jonas Sicking wrote: > Same as for other types of redirects. > > If we follow a redirect without checking cors headers first, that leaks > information. Who knows if that information is sensitive or not. 304 is only sort of a redirect. At best it's a redirect-to-cache. It just says "use your cached version; the resource hasn't changed". -Boris
Received on Wednesday, 4 December 2013 14:19:08 UTC