- From: Anne van Kesteren <notifications@github.com>
- Date: Wed, 24 Aug 2016 07:11:47 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Wednesday, 24 August 2016 14:12:20 UTC
Firefox has some logic to prevent CRLF header injection attacks for Location, Content-Length, and Content-Disposition headers. Search for "IsSuspectDuplicateHeader" in http://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpHeaderArray.h http://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpHeaderArray.cpp I'm not entirely sure whether to standardize this since other implementations seem to have different behavior, but it does seem nice as defense-in-depth. Note that Firefox' behavior also affects what can be observed in the API as the duplicate headers with equal values are silently dropped and therefore not exposed. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/375
Received on Wednesday, 24 August 2016 14:12:20 UTC