W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2009

[whatwg] First or last Content-Type header?

From: Adam Barth <whatwg@adambarth.com>
Date: Mon, 1 Jun 2009 19:09:51 -0700
Message-ID: <7789133a0906011909j78385963jff022f71201d9d8b@mail.gmail.com>
2009/6/1 Bil Corry <bil at corry.biz>:
> Den.Molib wrote on 6/1/2009 4:55 PM:
>> follow the last one, as it's the one provided nearer the content.
>
> And by the same logic, the header closest to the content could be the one that was injected by an attacker (via application hole) -- so might choosing the first header be more prudent?

If your site is vulnerable to header splitting, then you have bigger
problems than injecting a Content-Type header.

In any case, the four major browsers that actually look at the
Content-Type header agree and use the last header.  The only browser
that uses the first header more or less ignores it anyway.

Adam
Received on Monday, 1 June 2009 19:09:51 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:12 UTC