[CSP] Difference in browser behaviour for 304 responses

I've noticed a difference in behaviour between Chrome and Firefox for 
304 responses. Firefox picks up on an added/changed CSP, but Chrome does 
not. This particular scenario is not mentioned in the spec, it would 
perhaps be worth specifying in the next version?

I came across the issue when talking to a developer who wanted to serve 
a static html file which in turn loaded his SPA (Single Page web 
Application) with CSP protection.

IMHO the Firefox behaviour is the most useful one, as it would allow you 
to add/update a CSP without having to touch static files.

Thoughts? Should I submit an issue and/or bug somewhere?

-- 
André N. Klingsheim

Received on Saturday, 10 October 2015 14:42:50 UTC