Security headers are duplicated (X-UA-Compatible, X-Content-Type-Options, X-Frame-Options)

Related: 🐛 Duplicate HTTP headers should be removed RTBC . We should test if that fixes it for BigPipe Sessionless too.

I haven't empirically tested this but my assessment of the core change in https://www.drupal.org/project/drupal/issues/2861552 🐛 Duplicate HTTP headers should be removed RTBC is that it only deduplicates headers configured via #attached, which are mostly Link headers.

The headers duplicated here are copied directly from the original response object to the new one and then pass through EventSubscribers that originally added them which then add them again. So I don't think that ticket fixes it. I also think it makes sense for Drupal to validate and deduplicate its own "header instructions" - but technically at the request/response level duplicating headers is normal and acceptable so it wouldn't make sense to reactively fix it at that level so not sure the fix would translate well

Right — I should've read the patch in detail, sorry! The titles just sounded so similar! 😬

Any chance you could write a failing test for this issue? That'd make this far easier to commit — the current MR looks clean (👏), but is far more complicated than the issue title would imply/suggest: it's not just simple deduplication! 😅

D'OH! The MR does have test coverage! 🙈

Converted that into a patch.

It's #8 that this issue is marked for, not for tests. So removing the tag. 👍

Unfortunately, it looks like my fix in 🐛 Pages generated via subrequest never get cached Needs work does not solve this issue. But it might help?

Rebased the MR.

I cannot get the test-only patch in #14 to fail locally. Can you? 😅

I bet this was caused by the 🐛 FinishResponseSubscriber could create duplicate headers Fixed bug in Drupal core 😅.

That would explain why I could not reproduce this in #17.

Can you please try to reproduce this manually with that core patch applied?