Giters

webhintio / hint

πŸ’‘ A hinting engine for the web

Home Page:https://webhint.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Docs Bug] `X-Content-Type-Options` for 304 responses

PaperStrike opened this issue Β· comments

commented

πŸ“š Request documentation enhancements

Description

For 304 responses, webhint should check the initial 200 cache for X-Content-Type-Options. Currently, Webhint DevTools gives false positives on page reloads.

Details

Link: Use X-Content-Type-Options Header | webhint documentation

As per RFC9110 section 15.4.5, a 304 response should only include metadata that guides cache updates, headers including X-Content-Type-Options should not be included until we update its value.

If I've read the relevant source code correctly, part of httpwg/http-core#165 is still relevant that Chrome and Webkit ignore x-content- headers in 304 responses. nosniff should be set on the initial 200. Adding the X-Content-Type-Options header to 304 responses feels like a complete waste.