[whatwg] First or last Content-Type header?

On Fri, 05 Jun 2009 10:44:25 +0200, Adam Barth <whatwg at adambarth.com> wrote:
> Based on this discussion, I'm not convinced there is a sufficiently
> compelling security rationale for convincing 4 out of 5 browsers to
> change their implementations.  The only attack presented is a header
> injection attack.  If I can inject headers into your HTTP responses, I
> can almost always perform a response splitting attack and obviate any
> protections we might hope to gain by using the first Content-Type
> header.

FWIW, if you look at other headers, e.g. Location, you may find the number shifting a little with respect to picking the first or last header in case of multiple Location headers. I forgot the specifics unfortunately, but I believe Opera was not consistent.

Anne van Kesteren

Received on Friday, 5 June 2009 01:49:12 UTC