- From: Adam Barth <whatwg@adambarth.com>
- Date: Mon, 1 Jun 2009 19:09:51 -0700
2009/6/1 Bil Corry <bil at corry.biz>: > Den.Molib wrote on 6/1/2009 4:55 PM: >> follow the last one, as it's the one provided nearer the content. > > And by the same logic, the header closest to the content could be the one that was injected by an attacker (via application hole) -- so might choosing the first header be more prudent? If your site is vulnerable to header splitting, then you have bigger problems than injecting a Content-Type header. In any case, the four major browsers that actually look at the Content-Type header agree and use the last header. The only browser that uses the first header more or less ignores it anyway. Adam
Received on Monday, 1 June 2009 19:09:51 UTC