W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2010

Re: Handling multiple headers when only one is allowed

From: Nathan <nathan@webr3.org>
Date: Wed, 09 Jun 2010 01:32:23 +0100
Message-ID: <4C0EE117.5030901@webr3.org>
To: Bil Corry <bil@corry.biz>
CC: HTTP Working Group <ietf-http-wg@w3.org>, Michal Zalewski <lcamtuf@google.com>, Jeff Hodges <Jeff.Hodges@KingsMountain.com>, Adam Barth <ietf@adambarth.com>, "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Does this (or should this) take in to account multiple values in header 
when only one is allowed? for instance if the following header is set:

   Content-Location: foo.html, bar.html



Bil Corry wrote:
> Michal Zalewski's excellent "Browser Security Handbook" points out that different browsers handle multiple headers differently when only one header is suppose to be present (scroll down to "First HTTP header of the same name takes precedence?"):
> 	http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Transfer_Protocol
> Essentially, the first header takes precedence for Internet Explorer and Safari while Firefox, Opera and Chrome use the last header.
> In a similar thread I brought up on another list[1], Michal Zalewski explained the security implications of this issue[2], Julian Reschke pointed out that there's already a similar issue open[3] and Mark Nottingham suggested I bring it up here[4].
> To summarize the issue, when a user-agent encounters multiple headers of the same name when only one is allowed, it must decide which header, if any, will be used.  The argument for using the first header centers on the premise that an attacker most likely will be injecting headers below the real header.  The argument for using the last header centers on the premise that sometimes web developers do not control the entire server, and thus can not control headers added by the server, but are able to add additional headers.
> Given the mixed implementations among user-agents and the security implications therein, is it possible for this to be defined?
> - Bil
> [1] http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0221.html
> [2] http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0223.html
> [3] http://trac.tools.ietf.org/wg/httpbis/trac/ticket/95
> [4] http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0226.html
Received on Wednesday, 9 June 2010 00:33:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:53 UTC