- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 02 Jun 2009 09:19:08 +0200
Adam Barth wrote: > 2009/6/1 Bil Corry <bil at corry.biz>: >> Den.Molib wrote on 6/1/2009 4:55 PM: >>> follow the last one, as it's the one provided nearer the content. >> And by the same logic, the header closest to the content could be the one that was injected by an attacker (via application hole) -- so might choosing the first header be more prudent? > > If your site is vulnerable to header splitting, then you have bigger > problems than injecting a Content-Type header. > > In any case, the four major browsers that actually look at the > Content-Type header agree and use the last header. The only browser > that uses the first header more or less ignores it anyway. Could you clarify that last point? Are you talking about IE? Which version? BR, Julian
Received on Tuesday, 2 June 2009 00:19:08 UTC