W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2009

[whatwg] First or last Content-Type header?

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 05 Jun 2009 10:49:12 +0200
Message-ID: <op.uu1msang64w2qv@annevk-t60>
On Fri, 05 Jun 2009 10:44:25 +0200, Adam Barth <whatwg at adambarth.com> wrote:
> Based on this discussion, I'm not convinced there is a sufficiently
> compelling security rationale for convincing 4 out of 5 browsers to
> change their implementations.  The only attack presented is a header
> injection attack.  If I can inject headers into your HTTP responses, I
> can almost always perform a response splitting attack and obviate any
> protections we might hope to gain by using the first Content-Type
> header.

FWIW, if you look at other headers, e.g. Location, you may find the number shifting a little with respect to picking the first or last header in case of multiple Location headers. I forgot the specifics unfortunately, but I believe Opera was not consistent.

Anne van Kesteren
Received on Friday, 5 June 2009 01:49:12 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:13 UTC