W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2010

"actual content length", was: Handling multiple headers when only one is allowed

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 09 Jun 2010 14:24:31 +0200
Message-ID: <4C0F87FF.8040600@gmx.de>
To: Bil Corry <bil@corry.biz>
CC: HTTP Working Group <ietf-http-wg@w3.org>, Michal Zalewski <lcamtuf@google.com>, Jeff Hodges <Jeff.Hodges@KingsMountain.com>, Adam Barth <ietf@adambarth.com>, "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
On 09.06.2010 02:18, Bil Corry wrote:
> Michal Zalewski's excellent "Browser Security Handbook" points out that different browsers handle multiple headers differently when only one header is suppose to be present (scroll down to "First HTTP header of the same name takes precedence?"):
>
> 	http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Transfer_Protocol
> ...

Interesting.

That text mentions the test

   "Content-Length header value overrides actual content length?"

I have trouble understanding what this means... Unless the connection is 
closed, or chunked encoding is in place, or the message is by definition 
not having a body (HEAD response), there *is* no other signal than 
Content-Length to find out the actual content length.

Michal, could you clarify what this test is about?

Best regards, Julian
Received on Wednesday, 9 June 2010 12:25:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:20 GMT