- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 25 Nov 2013 16:34:20 +0000
- To: WebAppSec WG <public-webappsec@w3.org>
- Cc: Karl Dubost <karl@la-grange.net>, Odin Omdal Hørthe <odinho@opera.com>, Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>
Karl discovered a bug in the CORS protocol. We do not specify what happens for a 304 response that does not have CORS headers. If we follow the logic from redirects, we ought to require CORS headers in that scenario. Firefox does this. Chrome does not. I want to nail this down in the 304 bit of http://fetch.spec.whatwg.org/ at some point. I thought I'd raise it here to see what people think. -- http://annevankesteren.nl/
Received on Monday, 25 November 2013 16:34:52 UTC