- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 09 Jun 2010 14:24:31 +0200
- To: Bil Corry <bil@corry.biz>
- CC: HTTP Working Group <ietf-http-wg@w3.org>, Michal Zalewski <lcamtuf@google.com>, Jeff Hodges <Jeff.Hodges@KingsMountain.com>, Adam Barth <ietf@adambarth.com>, "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
On 09.06.2010 02:18, Bil Corry wrote: > Michal Zalewski's excellent "Browser Security Handbook" points out that different browsers handle multiple headers differently when only one header is suppose to be present (scroll down to "First HTTP header of the same name takes precedence?"): > > http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Transfer_Protocol > ... Interesting. That text mentions the test "Content-Length header value overrides actual content length?" I have trouble understanding what this means... Unless the connection is closed, or chunked encoding is in place, or the message is by definition not having a body (HEAD response), there *is* no other signal than Content-Length to find out the actual content length. Michal, could you clarify what this test is about? Best regards, Julian
Received on Wednesday, 9 June 2010 12:25:13 UTC