Description
HTTP status 304 responses returned by our cloud.gov-hosted application are not loading correctly in Chrome.
Notes
Steps to reproduce (Chrome Version 125.0.6422.142 (Official Build) (arm64))
- Visit https://touchpoints.digital.gov/. Note that there is a blue button at the bottom of the screen that says "How can we improve Touchpoints?".
- Reload the page. Note that the button is gone.
- Look in the Network tab (with "Disable cache" turned off). You should see a request to https://touchpoints.app.cloud.gov/touchpoints/92b47c29/js with status "(failed)net::ERR_BLOCKED_BY_ORB".
My theory of what's going on
In the Touchpoints code
Touchpoints is a Rack app and the Rack code deliberately deletes the Content-Type header for 304 responses.
In the cloud.gov code
Touchpoints is deployed on cloud.gov. I don't know much about the internals of cloud.gov but I'm guessing that the proxy defined in this repo is sitting in front of the Touchpoints app and is adding a default content-type header to our 304 response.
In Chrome
Chrome recently introduced a new security feature https://chromestatus.com/feature/5166834424217600. On the feature page, it is listed as "In development" but I'm pretty sure it has actually been deployed and fully rolled out. The new feature is not very well documented IMO but the spec has this line - "If nosniff is true and mimeType's essence is 'text/plain', then return false" - which I think explains where the net::ERR_BLOCKED_BY_ORB error is coming from.
Acceptance Criteria
- cloud.gov-hosted applications should be able to return 304 responses without content-type headers and still work in Chrome.
I may be biased but I think Touchpoints's behavior is above board here. The HTTP spec recommends limiting headers returned for 304 responses.
I defer to the cloud.gov team as to whether or not this is a Chrome bug vs. something that could be fixed in cloud.gov.