W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

[CSP] Difference in browser behaviour for 304 responses

From: André N. Klingsheim <andre.klingsheim@owasp.org>
Date: Sat, 10 Oct 2015 16:42:12 +0200
To: public-webappsec@w3.org
Message-ID: <561923C4.4040802@owasp.org>
I've noticed a difference in behaviour between Chrome and Firefox for 
304 responses. Firefox picks up on an added/changed CSP, but Chrome does 
not. This particular scenario is not mentioned in the spec, it would 
perhaps be worth specifying in the next version?

I came across the issue when talking to a developer who wanted to serve 
a static html file which in turn loaded his SPA (Single Page web 
Application) with CSP protection.

IMHO the Firefox behaviour is the most useful one, as it would allow you 
to add/update a CSP without having to touch static files.

Thoughts? Should I submit an issue and/or bug somewhere?

-- 
André N. Klingsheim
Received on Saturday, 10 October 2015 14:42:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC