W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Handling multiple headers when only one is allowed

From: Bil Corry <bil@corry.biz>
Date: Wed, 16 Dec 2009 12:39:45 -0800
Message-ID: <4B294591.5070404@corry.biz>
To: public-web-security@w3.org
Michal Zalewski's excellent "Browser Security Handbook" points out that different browsers handle multiple headers differently when only one header is suppose to be present (scroll down to "First HTTP header of the same name takes precedence?"):


Essentially, the first header takes precedence for Internet Explorer and Safari while Firefox, Opera and Chrome use the last header.

It would seem to me that using the first header would be slightly safer and I'm curious to know why Firefox, Opera and Chrome don't do it; that is, is there a compelling reason to use the last header?

- Bil
Received on Wednesday, 16 December 2009 20:41:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC