W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: CORS and 304

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 3 Apr 2015 11:25:30 +0200
Message-ID: <CADnb78jfgT_tBYP7gUe4i3UfP_8QM9mfsQz0m78dhOzGBEaj+A@mail.gmail.com>
To: Odin Hørthe Omdal <odinho@opera.com>
Cc: Mark Nottingham <mnot@mnot.net>, Alex Russell <slightlyoff@google.com>, Jonas Sicking <jonas@sicking.cc>, Karl Dubost <karl@la-grange.net>, "Julian F. Reschke" <julian.reschke@gmx.de>, Adam Barth <w3c@adambarth.com>, WebAppSec WG <public-webappsec@w3.org>
On Thu, Apr 2, 2015 at 11:02 PM, Odin Hørthe Omdal <odinho@opera.com> wrote:
> From how I read Fetch
> now, it seems as if the 304 would simply get in the cached response from
> last time, and thus also the CORS responses that were part of that
> original 200.

No. Per the current specification CORS is checked first, then the
response code is handled. So a 304 without corresponding CORS headers
would result in a network error before the status is even looked at.

We can change that, but we'd need to be careful not to introduce new
cross-origin attack vectors. Proposals welcome.

Received on Friday, 3 April 2015 09:25:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC