ETag changes for every same request/response.

[tonytonyjan]

Steps to reproduce

rails new myapp
cd myapp
bin/rails g controller pages home
bin/rails s -d
curl -s -D - http://localhost:3000/pages/home -o /dev/null | grep ETag
curl -s -D - http://localhost:3000/pages/home -o /dev/null | grep ETag

Expected behavior

According to the document:

Rails generates weak ETags by default. Weak ETags allow semantically equivalent responses to have the same ETags, even if their bodies do not match exactly. This is useful when we don't want the page to be regenerated for minor changes in response body.

ETag should be the same.

Actual behavior

ETags changes even though the body is the same. It happens in both production and development mode.

System configuration

Rails version: 5.1.2

Ruby version: 2.4.1

[georgeclaghorn]

The ETag header is set by Rack::ETag, part of the Rails middleware stack by default. It computes the ETag by digesting the response body, which differs for every request because of the csrf-param meta tag.

[sgrif]

Yeah, this is definitely the expected behavior. We need to provide the CSRF token. We would not want the etags to match in this case.

[triskweline]

I wrote a Rack Middleware that produces the same ETag for responses that only differ in CSRF tokens or CSP nonces:
https://github.com/makandra/rack-steady_etag