W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: CORS and 304

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 04 Dec 2013 09:21:21 -0500
Message-ID: <529F3A61.1040008@mit.edu>
To: public-webappsec@w3.org
On 12/4/13 6:38 AM, Jonas Sicking wrote:
> So you mean that if a CGI does a 304 redirect and sends some response
> headers and a response body

A 304 is not allowed to have a response body.  I don't know offhand what 
the server would actually do in this case, drop the body or send an 
invalid HTTP response, nor what a browser would do in the latter case 
(per spec, it's supposed to treat the \r\n\r\n at the end of the headers 
as the end of the 304 response).

> Either way, a security issue can't be ignored because servers suck. We
> should still require the headers to be sent. Authors can always use
> other 30x responses.

I think you're assuming that 304 has any relation whatsoever to 
301/302/303.  It doesn't.  Arguably, it should have been a 2xx status 
code....

-Boris
Received on Wednesday, 4 December 2013 14:21:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC