- From: Karl Dubost <karl@la-grange.net>
- Date: Mon, 25 Nov 2013 11:49:00 -0500
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>, Odin Omdal Hørthe <odinho@opera.com>, Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>
Le 25 nov. 2013 à 11:34, Anne van Kesteren <annevk@annevk.nl> a écrit : > Karl discovered s/discovered/transmitted the message/. Clochix (from French Web dev communtity) pointed out the issue this morning. > a bug in the CORS protocol. We do not specify what > happens for a 304 response that does not have CORS headers. If we > follow the logic from redirects, we ought to require CORS headers in > that scenario. To note Apache strips out the CORS headers https://issues.apache.org/bugzilla/show_bug.cgi?id=51223 The HTTP 1.1 Spec says it can http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-25#section-4.1 > Firefox does this. Chrome does not. > > I want to nail this down in the 304 bit of > http://fetch.spec.whatwg.org/ at some point. I thought I'd raise it > here to see what people think. Thanks Anne. -- Karl Dubost http://www.la-grange.net/karl/
Received on Monday, 25 November 2013 16:49:34 UTC