304 with CORS on apache – Valuable Tech Notes

I have an REST API that returns a 304 Not Modified status code for some request (that have If-Modified-Since header). The problem is that the apache2 software strips any CORS header prior to the response being sent to the browser.

This happens only when the status code is 304. Any other end-point works great with CORS. All the pre-flight requests work also great.

I have read on the internet that Apache does this in order to comply with some specs, but I can't believe that CORS with 304 is not supposed to work in specs.

Is there a way I could achieve this with apache?

Update:

My javascript is

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://api.domain.com/api/endpoint?token='+localStorage.getItem('token'));
xhr.setRequestHeader("If-Modified-Since", "Mon, 11 Jan 2016 15:46:54 GMT");
xhr.send(null);

I get an error:

No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://xxx.domain.com' is therefore not allowed
access.

Best Answer

304's don't need to include the CORS headers. Browsers should see the 304 and use the cache.

https://bz.apache.org/bugzilla/show_bug.cgi?id=51223#c1

CORS doesn't require those headers on a 304, and indeed browsers work without them present on it. This is because many 304s are generated from intermediary caches that can't be updated to know about CORS.

Best Answer

Related Solutions

Why does Apache send 200 OK while Last-modified matches If-modified-since

ProxyPass changes 304 status to 200 and adds content-type

Related Topic