Handling multiple headers when only one is allowed

Michal Zalewski's excellent "Browser Security Handbook" points out that different browsers handle multiple headers differently when only one header is suppose to be present (scroll down to "First HTTP header of the same name takes precedence?"):


Essentially, the first header takes precedence for Internet Explorer and Safari while Firefox, Opera and Chrome use the last header.

It would seem to me that using the first header would be slightly safer and I'm curious to know why Firefox, Opera and Chrome don't do it; that is, is there a compelling reason to use the last header?

- Bil

Received on Wednesday, 16 December 2009 20:41:17 UTC