- From: Karl Dubost <karl@la-grange.net>
- Date: Wed, 4 Dec 2013 05:39:01 -0500
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Odin Omdal H�rthe <odinho@opera.com>, WebAppSec WG <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>
Le 3 d�c. 2013 � 22:26, Jonas Sicking <jonas@sicking.cc> a �crit : > I don't see why 304s should be different than other redirects from a security point of view. What would be the security issue if the headers are not sent in the case of 304? > So requiring headers seem like the right thing. Can't we just say that that's the case for all redirects? I would love to see a survey of what servers are doing out of the box. It seems Apache scraps them. IIS? nginx? Knowing that would be a good thing for accessing how much difficult it will be to evangelize and it that would create a Web compatibility issues (with a lot of contacts ;) ). Sincerely I don't know yet if it's a frequent issue, but I would love to have an idea about it. -- Karl Dubost http://www.la-grange.net/karl/
Received on Wednesday, 4 December 2013 10:39:37 UTC