https://issues.apache.org/bugzilla/show_bug.cgi?id=51223
Bug #: 51223
Summary: 304 HTTP Not Modified strips out CORS headers
Product: Apache httpd-2
Version: 2.2.14
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Core
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
Created attachment 27027
--> https://issues.apache.org/bugzilla/attachment.cgi?id=27027
Patch for the ubuntu package
Per the RFC, HTTP Not Modified should not include entity headers "Section
10.3.5: the response SHOULD NOT include other entity-headers"
However, the Cross-Origin-Resource-Sharing spec (http://www.w3.org/TR/cors/)
defines a few headers that are not entity headers and should therefore be
allowed in the 304 response:
"Access-Control-Allow-Origin",
"Access-Control-Allow-Credentials",
"Access-Control-Allow-Methods",
"Access-Control-Allow-Headers",
"Access-Control-Max-Age"
I understand that CORS is currently only a draft but it currently prevents any
web application from properly adopting this new standard. Indeed, a client
making a CORS request will not see the response if it is an Http Not Modified
304. The browser will block it due to the missing CORS headers.
Patch attached.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
