Handling multiple headers when only one is allowed

Michal Zalewski's excellent "Browser Security Handbook" points out that different browsers handle multiple headers differently when only one header is suppose to be present (scroll down to "First HTTP header of the same name takes precedence?"):

 http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Transfer_Protocol

Essentially, the first header takes precedence for Internet Explorer and Safari while Firefox, Opera and Chrome use the last header.

In a similar thread I brought up on another list[1], Michal Zalewski explained the security implications of this issue[2], Julian Reschke pointed out that there's already a similar issue open[3] and Mark Nottingham suggested I bring it up here[4].

To summarize the issue, when a user-agent encounters multiple headers of the same name when only one is allowed, it must decide which header, if any, will be used.  The argument for using the first header centers on the premise that an attacker most likely will be injecting headers below the real header.  The argument for using the last header centers on the premise that sometimes web developers do not control the entire server, and thus can not control headers added by the server, but are able to add additional headers.

Given the mixed implementations among user-agents and the security implications therein, is it possible for this to be defined?


- Bil


[1] http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0221.html
[2] http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0223.html
[3] http://trac.tools.ietf.org/wg/httpbis/trac/ticket/95
[4] http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0226.html

Received on Wednesday, 9 June 2010 00:18:43 UTC