Interactions of Content-Disposition with CSP-FA/XFO and Status Codes #9762
Labels
security/privacy
There are security or privacy implications
security-tracker
Group bringing to attention of security, or tracked by the security Group but not needing response.
topic: fetch
Browsers currently diverge in their handling of Content-Disposition headers in combination with CSP or non-200 status codes.
The specification seems to be under-specified and missing tests in this area: https://html.spec.whatwg.org/#downloading-resources
Example differences:
In general, it seems like the order/priority of headers and status codes is not principled and instead handled in an ad-hoc manner in the implementations. Thus, similar issues could probably be discovered for other header combinations and header/status code combinations as well.
The text was updated successfully, but these errors were encountered: