Re: [whatwg/fetch] Handling of invalid Location header characters doesn't match browsers (#883) from Matt Menke on 2019-03-23 (public-webapps-github@w3.org from March 2019)

From: Matt Menke <notifications@github.com>
Date: Sat, 23 Mar 2019 06:06:04 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/883/475868237@github.com>

What Chrome actually does if it sees multiple differing Location headers is hard-fail the request.  We do the same for Content-Length and Content-Disposition.  If we have multiple identical headers we just ignore them.  Those are the only 3 headers we do that for.

This was added as a mitigation against response splitting attacks, as I recall, though no idea how useful it actually is.  The frequency of those errors dropped of pretty precipitously within a month of that behavior hitting stable, so it presumably shouldn't be too risky for other browsers to follow suit.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/883#issuecomment-475868237

Received on Saturday, 23 March 2019 13:06:26 UTC