- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 05 Jun 2009 10:49:12 +0200
On Fri, 05 Jun 2009 10:44:25 +0200, Adam Barth <whatwg at adambarth.com> wrote: > Based on this discussion, I'm not convinced there is a sufficiently > compelling security rationale for convincing 4 out of 5 browsers to > change their implementations. The only attack presented is a header > injection attack. If I can inject headers into your HTTP responses, I > can almost always perform a response splitting attack and obviate any > protections we might hope to gain by using the first Content-Type > header. FWIW, if you look at other headers, e.g. Location, you may find the number shifting a little with respect to picking the first or last header in case of multiple Location headers. I forgot the specifics unfortunately, but I believe Opera was not consistent. -- Anne van Kesteren http://annevankesteren.nl/
Received on Friday, 5 June 2009 01:49:12 UTC