User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Steps to reproduce: I built a little test suite thing for this: https://github.com/jakearchibald/http2-push-test/ The test is served at /vary-cookie/, which pushes a request that has "Cookie: val=a", and the pushed response has "Vary: Cookie". 1. Press the "Set cookie b" button, this sets val=b 2. Press "Fetch with credentials" & observe the console Actual results: 4 random numbers are logged. This is the pushed resource. Expected results: "NOT FROM PUSH" - because the pushed resource should not have matched.
It'd be interesting to see if the cache did this for a non-push request; my WPT tests didn't cover cases where the cookie was changed. Will give it a go ~tomorrow (currently in the air).