- From: Bil Corry <bil@corry.biz>
- Date: Wed, 16 Dec 2009 12:39:45 -0800
- To: public-web-security@w3.org
Michal Zalewski's excellent "Browser Security Handbook" points out that different browsers handle multiple headers differently when only one header is suppose to be present (scroll down to "First HTTP header of the same name takes precedence?"): http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Transfer_Protocol Essentially, the first header takes precedence for Internet Explorer and Safari while Firefox, Opera and Chrome use the last header. It would seem to me that using the first header would be slightly safer and I'm curious to know why Firefox, Opera and Chrome don't do it; that is, is there a compelling reason to use the last header? - Bil
Received on Wednesday, 16 December 2009 20:41:17 UTC