W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: CORS and 304

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 04 Dec 2013 16:05:06 +0100
Message-ID: <529F44A2.6000009@gmx.de>
To: Jonas Sicking <jonas@sicking.cc>, Karl Dubost <karl@la-grange.net>
CC: Anne van Kesteren <annevk@annevk.nl>, Odin Hørthe Omdal <odinho@opera.com>, WebAppSec WG <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>
On 2013-12-04 12:38, Jonas Sicking wrote:
>
> On Dec 4, 2013 3:27 AM, "Karl Dubost" <karl@la-grange.net
> <mailto:karl@la-grange.net>> wrote:
>  >
>  >
>  > Le 4 déc. 2013 à 06:08, Jonas Sicking <jonas@sicking.cc> a écrit :
>  > > What do you mean "scraps them"? What headers are we talking about
> here, response or request headers?
>  >
>  > response headers. :)
>
> So you mean that if a CGI does a 304 redirect and sends some response
> headers and a response body, then apache will filter out the headers but
> send the 304 and the body? Is this specific to 304s?
>
> Either way, a security issue can't be ignored because servers suck. We
> should still require the headers to be sent. Authors can always use
> other 30x responses.

But a 304 is very different from the other redirect status codes (see 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-25.html#rfc.section.6.4>); 
you can't just "another one".

Best regards, Julian
Received on Wednesday, 4 December 2013 15:05:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC