"actual content length", was: Handling multiple headers when only one is allowed

On 09.06.2010 02:18, Bil Corry wrote:
> Michal Zalewski's excellent "Browser Security Handbook" points out that different browsers handle multiple headers differently when only one header is suppose to be present (scroll down to "First HTTP header of the same name takes precedence?"):
>
>  http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Transfer_Protocol
> ...

Interesting.

That text mentions the test

   "Content-Length header value overrides actual content length?"

I have trouble understanding what this means... Unless the connection is 
closed, or chunked encoding is in place, or the message is by definition 
not having a body (HEAD response), there *is* no other signal than 
Content-Length to find out the actual content length.

Michal, could you clarify what this test is about?

Best regards, Julian

Received on Wednesday, 9 June 2010 12:25:13 UTC