W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: CORS and 304

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 8 Apr 2015 14:41:18 +1000
Cc: Odin Hørthe Omdal <odinho@opera.com>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <98700ABE-C018-44B6-BFBB-A85960D11E74@mnot.net>
To: Anne van Kesteren <annevk@annevk.nl>

> On 8 Apr 2015, at 2:33 pm, Anne van Kesteren <annevk@annevk.nl> wrote:
>> I'd be happy to work on some proposals to fix that, if you're amenable.
> Sure. It seems to me though that if it's not in the cache you make
> network fetch and only then can you handle 304. But I guess that could
> be more tightly coupled than say, redirects, although it seems
> somewhat odd.

You only get a 304 (legitimately) when you send a conditional request, and the browser will only send a conditional request when it has something in cache — but that thing is stale (hence the conditional request).

If the client-side code is generating the conditional request and trying to handle the 304 themselves, yes it's a problem (and IIRC we left that as unsolveable last time around).

>> Not sure what's new here — every browser I tested passed the core of that suite.
> Well that certainly argues for changing the specification. Is there
> overlap in the tests they don't pass?

IIRC it was the stuff you asked me to add around Access-Control-Expose-Headers.


Mark Nottingham   https://www.mnot.net/
Received on Wednesday, 8 April 2015 04:41:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC