Re: CORS and 304 from Mark Nottingham on 2015-04-08 (public-webappsec@w3.org from April 2015)

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 8 Apr 2015 15:31:00 +1000
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Odin Hørthe Omdal <odinho@opera.com>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <4E4FA817-5C8E-4770-8A73-0B0FBF340CF2@mnot.net>

> On 8 Apr 2015, at 3:09 pm, Anne van Kesteren <annevk@annevk.nl> wrote:
> 
> On Wed, Apr 8, 2015 at 7:02 AM, Mark Nottingham <mnot@mnot.net> wrote:
>> Yeah — but just as far as ACEH is concerned.
> 
> Might also be interesting to check that if you include a new ACAO
> header it then does fail. Or the even sillier edge case of doing a
> credentialed fetch and having the 304 add ACAC (requires the original
> response to use an origin, not *).

<http://www.w3.org/TR/cors/#access-control-allow-origin-response-header>:

"""
The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
"""

What does that *mean*?



--
Mark Nottingham   https://www.mnot.net/

Received on Wednesday, 8 April 2015 05:31:28 UTC