W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: CORS and 304

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 8 Apr 2015 19:37:08 +1000
Cc: Odin Hørthe Omdal <odinho@opera.com>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <DB2B4FFA-65ED-4F0E-B487-B872771611C0@mnot.net>
To: Anne van Kesteren <annevk@annevk.nl>
tl;dr — It appears Opera, Chrome, Safari and FF update cached responses with 304 correctly, at least as far as CORS is concerned.

> On 8 Apr 2015, at 3:09 pm, Anne van Kesteren <annevk@annevk.nl> wrote:
> 
> On Wed, Apr 8, 2015 at 7:02 AM, Mark Nottingham <mnot@mnot.net> wrote:
>> Yeah — but just as far as ACEH is concerned.
> 
> Might also be interesting to check that if you include a new ACAO
> header it then does fail. Or the even sillier edge case of doing a
> credentialed fetch and having the 304 add ACAC (requires the original
> response to use an origin, not *).

OK, I rewrote the whole thing as async, because I wasn't happy with the results it was giving me; the caching behaviours of the browsers were interfering (especially upon reload).

It now seems much more reliable. Interestingly, Firefox and Safari pass all of the tests — including when ACAO changes to disallow access. Haven't tried ACAC yet.

Chrome and Opera fail the first three tests because they seem not to update Content-Language from a 304 (I'm using it to smuggle test state). If I comment out that assertion, however, they both pass (and interestingly, they do both pass the fourth test with a changed ACAO, even with that assertion).

I might fiddle around with it to filter that out, since it's testing cache behaviour, not CORS. Would be happy to have some more eyes on the tests, as I'm still new to WPT:
  https://github.com/w3c/web-platform-tests/pull/1740

Cheers,


--
Mark Nottingham   https://www.mnot.net/
Received on Wednesday, 8 April 2015 09:37:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC