W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: CORS and 304

From: Karl Dubost <karl@la-grange.net>
Date: Wed, 4 Dec 2013 10:59:02 -0500
Cc: Jonas Sicking <jonas@sicking.cc>, Mark Nottingham <mnot@mnot.net>, Julian Reschke <julian.reschke@gmx.de>, Odin HÝrthe Omdal <odinho@opera.com>, WebAppSec WG <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>
Message-Id: <F91B1410-F315-480D-8DC4-33ECA0A77480@la-grange.net>
To: Anne van Kesteren <annevk@annevk.nl>
So clochix, who reported the issue, recreated a test case.

* First button creates a cross origin request and returns a 200.
* Second button creates a cross origin request
  Response is 304, Apache removes CORS headers
  browser sends an error (Firefox 25+, Chromium 31)
* 3 and 4 same requests for same domain (aka no CORS)

(hope it helps to understand)

Karl Dubost
Received on Wednesday, 4 December 2013 16:00:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC