Specify browser behavior for CSP headers on 304 (not modified) responses

[lweichselbaum]

It seems that browser behave differently in case a CSP header is set on a 304 response.
E.g.:

• Chrome uses the cached CSP header instead of the CSP header provided in the 304 response.
• Firefox uses the CSP header provided in the 304 response instead of the cached CSP header.

In case of nonce based CSPs (which should change for every single response), Chrome's behavior doesn't break a site, if a CSP header with a new nonce is set on a 304.
While the preferred solution is probably to not set a CSP at all on 304s, it is likely that in practice not reusing the cached header will lead to (unexpected) breakages in a subset of browsers.

I think it would make sense to be consistent across browsers in handling CSP headers on 304s.

[annevk]

We should probably be clearer on this in Fetch somehow. I believe that what Firefox does is what's correct per HTTP and what browsers should align on. Copying @mnot and @reschke just in case.

[mikewest]

I'm pretty sure @mnot has told me about this being wrong in Chrome (and probably Blink- && WebKit-based browsers in general), but I don't recall the details of the conversation. I'm also not sure it's a Fetch-level question but a HTTP-level question.

[annevk]

https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch per step 21.3 Chrome is indeed wrong.

[mnot]

The headers in a 304 update a stored response. See:
http://httpwg.org/specs/rfc7234.html#freshening.responses

See also discussion in web-platform-tests/wpt#1400

[andypaicu]

Reviving this issue, from what I gather from the links the correct behavior here is to use the new CSP header if it is set (Firefox behavior).

With regards to this breaking sites, I expect that the risk is not that large considering those sites would have been broken in Firefox anyway so this would only affect sites that are designed to only work in Chrome (or maybe in webkit/blink browsers?) that use CSP and specifically nonces and use 304 pages where they explicitly set CSP headers. Also the fix for these sites should not be particularly difficult as all it involves is making sure not to send a CSP header on 304 pages.

There is the linked closed and censored issue that seems to hint at some sort of security issue around CSP and 304 responses, anyone have any clue what that is about?

[annevk]

From the commit message it looks like a misunderstanding to me.

I suspect this also isn't tested yet.

[andypaicu]

So as far as I can tell the CSP spec does not need updating, this is all fetch/HTTP level.

Perhaps a note about this behavior is warranted to ensure everything is clear.

And adding WPT tests of course.

[annevk]

Yeah, agreed. I don't think a note is needed as this affects everything header-based. But tests do seem good.

[mnot]

Ah. See:
https://bugs.chromium.org/p/chromium/issues/detail?id=174301

I've been talking to @mikewest and crew about this in the background, need to write some tests to make them comfortable about changing it, I think.