Re: CORS and 304

On Thu, Apr 2, 2015 at 11:02 PM, Odin Hørthe Omdal <odinho@opera.com> wrote:
> From how I read Fetch
> now, it seems as if the 304 would simply get in the cached response from
> last time, and thus also the CORS responses that were part of that
> original 200.

No. Per the current specification CORS is checked first, then the
response code is handled. So a 304 without corresponding CORS headers
would result in a network error before the status is even looked at.

We can change that, but we'd need to be careful not to introduce new
cross-origin attack vectors. Proposals welcome.


-- 
https://annevankesteren.nl/

Received on Friday, 3 April 2015 09:25:59 UTC