Re: CORS and 304

On 12/4/13 6:38 AM, Jonas Sicking wrote:
> So you mean that if a CGI does a 304 redirect and sends some response
> headers and a response body

A 304 is not allowed to have a response body.  I don't know offhand what 
the server would actually do in this case, drop the body or send an 
invalid HTTP response, nor what a browser would do in the latter case 
(per spec, it's supposed to treat the \r\n\r\n at the end of the headers 
as the end of the 304 response).

> Either way, a security issue can't be ignored because servers suck. We
> should still require the headers to be sent. Authors can always use
> other 30x responses.

I think you're assuming that 304 has any relation whatsoever to 
301/302/303.  It doesn't.  Arguably, it should have been a 2xx status 


Received on Wednesday, 4 December 2013 14:21:50 UTC