W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: CORS and 304

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 04 Dec 2013 16:14:06 +0100
Message-ID: <529F46BE.5060501@gmx.de>
To: Anne van Kesteren <annevk@annevk.nl>, Jonas Sicking <jonas@sicking.cc>, Mark Nottingham <mnot@mnot.net>
CC: Karl Dubost <karl@la-grange.net>, Odin Hørthe Omdal <odinho@opera.com>, WebAppSec WG <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>
On 2013-12-04 13:15, Anne van Kesteren wrote:
> On Wed, Dec 4, 2013 at 11:38 AM, Jonas Sicking <jonas@sicking.cc> wrote:
>> So you mean that if a CGI does a 304 redirect and sends some response
>> headers and a response body, then apache will filter out the headers but
>> send the 304 and the body? Is this specific to 304s?
>
> 304 is not strictly a redirect. 304 is "Not Modified". An indication
> from the server that you can use the cached copy.
>
>
>> Either way, a security issue can't be ignored because servers suck. We
>> should still require the headers to be sent. Authors can always use other
>> 30x responses.
>
> Not for these semantics.
>
>
> Mark, Julian, do you think CORS headers should be required on a 304 response?

I'm not familiar enough with CORS.

Having said that: if a 200 response works without CORS headers then I 
don't see why they would be needed (or what they would be good for) on a 
304.

Best regards, Julian
Received on Wednesday, 4 December 2013 15:14:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC