- From: André N. Klingsheim <andre.klingsheim@owasp.org>
- Date: Sat, 10 Oct 2015 16:42:12 +0200
- To: public-webappsec@w3.org
I've noticed a difference in behaviour between Chrome and Firefox for 304 responses. Firefox picks up on an added/changed CSP, but Chrome does not. This particular scenario is not mentioned in the spec, it would perhaps be worth specifying in the next version? I came across the issue when talking to a developer who wanted to serve a static html file which in turn loaded his SPA (Single Page web Application) with CSP protection. IMHO the Firefox behaviour is the most useful one, as it would allow you to add/update a CSP without having to touch static files. Thoughts? Should I submit an issue and/or bug somewhere? -- André N. Klingsheim
Received on Saturday, 10 October 2015 14:42:50 UTC