Re: Handling multiple headers when only one is allowed

On Wed, 16 Dec 2009 21:39:45 +0100, Bil Corry <> wrote:

> Michal Zalewski's excellent "Browser Security Handbook" points out that  
> different browsers handle multiple headers differently when only one  
> header is suppose to be present (scroll down to "First HTTP header of  
> the same name takes precedence?"):
> Essentially, the first header takes precedence for Internet Explorer and  
> Safari while Firefox, Opera and Chrome use the last header.
> It would seem to me that using the first header would be slightly safer  
> and I'm curious to know why Firefox, Opera and Chrome don't do it; that  
> is, is there a compelling reason to use the last header?

In some cases the last is applied because they are processed in order and  
there is no check, or only few checks, about whether the same header has  
been encountered before. In other cases the first header is used,  
particularly when processing headers related to the response body.

In the case of Content-Type there reason is quite simply: Using the last  
header fixed a site specific problem at the time it was added, in a case  
where the second header was more accurate in relation to the content.

Regarding content-type there is also the question of content-type  
guessing, which AFAIK some browsers (or versions of them) do regardless of  
what the content-type says (causiing occasional difficulties for other  
browsers); it is IMO conceivable that this could affect a test like  

Yngve N. Pettersen
Senior Developer                     Email:
Opera Software ASA         
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01

Received on Wednesday, 16 December 2009 22:48:02 UTC