W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Handling multiple headers when only one is allowed

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 16 Dec 2009 13:13:56 -0800
Message-ID: <7789133a0912161313w574f260dk40df11b64fe5ca05@mail.gmail.com>
To: Bil Corry <bil@corry.biz>
Cc: public-web-security@w3.org
On Wed, Dec 16, 2009 at 12:39 PM, Bil Corry <bil@corry.biz> wrote:
> Michal Zalewski's excellent "Browser Security Handbook" points out that different browsers handle multiple headers differently when only one header is suppose to be present (scroll down to "First HTTP header of the same name takes precedence?"):
>
>        http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Transfer_Protocol
>
> Essentially, the first header takes precedence for Internet Explorer and Safari while Firefox, Opera and Chrome use the last header.
>
> It would seem to me that using the first header would be slightly safer and I'm curious to know why Firefox, Opera and Chrome don't do it; that is, is there a compelling reason to use the last header?

Chrome used to use the first header for something (I think it was
Content-Type) but then changed to match Firefox because there was a
site that broke in Chrome by worked in Firefox for this reason.

Adam
Received on Wednesday, 16 December 2009 21:15:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT