angular: Service worker does not update response headers

🐞 bug report

Affected Package

@angular/pwa @angular/service-worker

Is this a regression?

Description

Response headers are not updated when service worker updates assets.

🔬 Minimal Reproduction

Example with CSP header:

Add restricting Content Security Policy header on production server, like img-src 'self'
Add a violation to the restriction in you app (link to an image on different host)
Open angular PWA enabled application and ensure that CSP blocks that violation (in production)
Change CSP policy on the server to allow image requests to that host img-src 'self' https://imagehost.com
When the application is reloaded, service worker does not update neither assets nor headers for assets
When application is rebuilt and reloaded, service worker updates assets, but headers are not updated.

🌍 Your Environment

Angular Version:



     _                      _                 ____ _     ___ 
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | | 
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | | 
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/
    

Angular CLI: 8.3.4
Node: 12.9.1
OS: win32 x64
Angular: 8.2.6
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router, service-worker

Package                            Version
------------------------------------------------------------
@angular-devkit/architect          0.803.4
@angular-devkit/build-angular      0.803.4
@angular-devkit/build-ng-packagr   0.803.4
@angular-devkit/build-optimizer    0.803.4
@angular-devkit/build-webpack      0.803.4
@angular-devkit/core               8.3.4
@angular-devkit/schematics         8.3.4
@angular/cdk                       8.2.0
@angular/cli                       8.3.4
@angular/material                  8.2.0
@angular/pwa                       0.803.4
@ngtools/webpack                   8.3.4
@schematics/angular                8.3.4
@schematics/update                 0.803.4
ng-packagr                         5.5.0
rxjs                               6.5.3
typescript                         3.5.3
webpack                            4.39.2

Anything else relevant? Tested in Chrome 76.0.3809.132 and Firefox 69.0.1

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 1
Comments: 18 (9 by maintainers)

Most upvoted comments

I can also confirm this has been happening to me. It’s a very similar case, where the Content-Security Policy headers are very out of date, in my case, Content-Security headers are still being cached from roughly a month ago.

Unfortunately I can’t give a simple reproduction of the process, and the web app is closed-source.

When bypassing the service worker for the network in Chrome DevTools, the proper headers are used. When the service worker is toggled back on, the old headers are used and valid sources are blocked again. Hard clearing cache or forcibly deleting and reactivating the service worker fix this issue, however I can’t expect my end users to do that. So the old headers, it would seem, are somehow being cached despite a new version of CSP being available.

Let me know if I can provide any more information that might be useful to resolve this.

cbrandt713 on Oct 5, 2019