- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 3 Apr 2015 11:25:30 +0200
- To: Odin Hørthe Omdal <odinho@opera.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Alex Russell <slightlyoff@google.com>, Jonas Sicking <jonas@sicking.cc>, Karl Dubost <karl@la-grange.net>, "Julian F. Reschke" <julian.reschke@gmx.de>, Adam Barth <w3c@adambarth.com>, WebAppSec WG <public-webappsec@w3.org>
On Thu, Apr 2, 2015 at 11:02 PM, Odin Hørthe Omdal <odinho@opera.com> wrote: > From how I read Fetch > now, it seems as if the 304 would simply get in the cached response from > last time, and thus also the CORS responses that were part of that > original 200. No. Per the current specification CORS is checked first, then the response code is handled. So a 304 without corresponding CORS headers would result in a network error before the status is even looked at. We can change that, but we'd need to be careful not to introduce new cross-origin attack vectors. Proposals welcome. -- https://annevankesteren.nl/
Received on Friday, 3 April 2015 09:25:59 UTC