Interactions of Content-Disposition with CSP-FA/XFO and Status Codes

JannisBush commented 1 year ago

Browsers currently diverge in their handling of Content-Disposition headers in combination with CSP or non-200 status codes. The specification seems to be under-specified and missing tests in this area: https://html.spec.whatwg.org/#downloading-resources

Example differences:

iframe response with CD and CSP FA/XFO: WebKit blocks, Chromium/Firefox download
iframe response with CD and status code 3XX without a location header: Chromium blocks, WebKit prompts, Firefox opens a new tab
iframe response with CD and status code 205: Chromium prompts and fails, WebKit prompts, Firefox does not prompt

In general, it seems like the order/priority of headers and status codes is not principled and instead handled in an ad-hoc manner in the implementations. Thus, similar issues could probably be discovered for other header combinations and header/status code combinations as well.

annevk commented 12 months ago

Generally, where we can get away with it I think we should block as early as possible. So headers that can cause blocking should be handled first.

Whether CD should work for non-2xx I'm not sure. Does it work for 404? Perhaps that should be its own issue.

JannisBush commented 12 months ago

404 with CD seem to trigger a Download in WebKit, new tab in Gecko, and error page in Chromium.

whatwg / html

Interactions of Content-Disposition with CSP-FA/XFO and Status Codes #9762