Open JannisBush opened 1 year ago
Generally, where we can get away with it I think we should block as early as possible. So headers that can cause blocking should be handled first.
Whether CD should work for non-2xx I'm not sure. Does it work for 404? Perhaps that should be its own issue.
404 with CD seem to trigger a Download in WebKit, new tab in Gecko, and error page in Chromium.
Browsers currently diverge in their handling of Content-Disposition headers in combination with CSP or non-200 status codes. The specification seems to be under-specified and missing tests in this area: https://html.spec.whatwg.org/#downloading-resources
Example differences:
In general, it seems like the order/priority of headers and status codes is not principled and instead handled in an ad-hoc manner in the implementations. Thus, similar issues could probably be discovered for other header combinations and header/status code combinations as well.