--- a/wp/wp-admin/load-scripts.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-admin/load-scripts.php	Fri Sep 05 18:40:08 2025 +0200
@@ -45,7 +45,26 @@
 wp_default_packages_vendor( $wp_scripts );
 wp_default_packages_scripts( $wp_scripts );
 
-if ( isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) && stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) === $wp_version ) {
+$etag = "WP:{$wp_version};";
+
+foreach ( $load as $handle ) {
+	if ( ! array_key_exists( $handle, $wp_scripts->registered ) ) {
+		continue;
+	}
+
+	$ver   = $wp_scripts->registered[ $handle ]->ver ? $wp_scripts->registered[ $handle ]->ver : $wp_version;
+	$etag .= "{$handle}:{$ver};";
+}
+
+/*
+ * This is not intended to be cryptographically secure, just a fast way to get
+ * a fixed length string based on the script versions. As this file does not
+ * load the full WordPress environment, it is not possible to use the salted
+ * wp_hash() function.
+ */
+$etag = 'W/"' . md5( $etag ) . '"';
+
+if ( isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) && stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) === $etag ) {
 	header( "$protocol 304 Not Modified" );
 	exit;
 }
@@ -59,7 +78,7 @@
 	$out .= get_file( $path ) . "\n";
 }
 
-header( "Etag: $wp_version" );
+header( "Etag: $etag" );
 header( 'Content-Type: application/javascript; charset=UTF-8' );
 header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', time() + $expires_offset ) . ' GMT' );
 header( "Cache-Control: public, max-age=$expires_offset" );