- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 04 Dec 2013 09:21:21 -0500
- To: public-webappsec@w3.org
On 12/4/13 6:38 AM, Jonas Sicking wrote: > So you mean that if a CGI does a 304 redirect and sends some response > headers and a response body A 304 is not allowed to have a response body. I don't know offhand what the server would actually do in this case, drop the body or send an invalid HTTP response, nor what a browser would do in the latter case (per spec, it's supposed to treat the \r\n\r\n at the end of the headers as the end of the 304 response). > Either way, a security issue can't be ignored because servers suck. We > should still require the headers to be sent. Authors can always use > other 30x responses. I think you're assuming that 304 has any relation whatsoever to 301/302/303. It doesn't. Arguably, it should have been a 2xx status code.... -Boris
Received on Wednesday, 4 December 2013 14:21:50 UTC