You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/08/14 08:07:10 UTC

[Bug 51223] 304 HTTP Not Modified strips out CORS headers

https://bz.apache.org/bugzilla/show_bug.cgi?id=51223

--- Comment #21 from oberhamsi <si...@gmail.com> ---
(In reply to andyh from comment #20)
> #19: Isn't that problem solved by including "vary: origin" on the response,
> to indicate that the response depends on the value of the "origin" request
> header?

Even with vary:origin browser are still allowed to do a conditional request.
And the 304 response will fail if it does not include the corrected
ACAW-header.

The cached response is 200 and still fresh but due to the different origins it
"cannot be selected" https://tools.ietf.org/html/rfc7234#section-4.3 so a
conditional request is made. The 304 must then contain the corrected
ACAW-header so browsers can update the cached response:

> use other header fields provided in the 304 (Not Modified)
> response to replace all instances of the corresponding header
> fields in the stored response.

https://tools.ietf.org/html/rfc7234#section-4.3.4

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org