W3C home > Mailing lists > Public > www-archive@w3.org > January 2016

Re: HTTP header representation in Fetch

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 20 Jan 2016 13:52:29 +0100
To: Anne van Kesteren <annevk@annevk.nl>, Honza Bambas <hbambas@mozilla.com>
Cc: Ryan Sleevi <sleevi@google.com>, Patrick McManus <pmcmanus@mozilla.com>, Mark Nottingham <mnot@mnot.net>, Youenn Fablet <youennf@gmail.com>, Takeshi Yoshino <tyoshino@google.com>, Jacob Rossi <Jacob.Rossi@microsoft.com>, Alex Christensen <achristensen@webkit.org>, Edward O'Connor <hober@apple.com>, Ben Kelly <bkelly@mozilla.com>, Nikki Bee <nikkicubed@gmail.com>, www-archive <www-archive@w3.org>
Message-ID: <569F830D.9010105@gmx.de>
On 2016-01-20 09:30, Anne van Kesteren wrote:
> On Tue, Jan 19, 2016 at 9:16 PM, Honza Bambas <hbambas@mozilla.com> wrote:
>> Merging of certain headers is in Gecko prohibited for security reasons
>> (injection attacks).  We explicitly hard-fail the response when there is
>> more than one instance of Content-Length, Content-Disposition or Location.
>> Hence merging e.g. Location is a very bad idea.
> That sounds like a simplification. At least, last time I looked into
> this we allowed multiple Location headers, if they contained the same
> URL (after parsing). And also, if it were a "single" header with
> multiple values, we did not treat it as an error. E.g., Location: a,b
> at URL /relative/ causes a redirect to /relative/a,b (maybe we should
> break this though, I haven't investigated if this is interoperable).
> In any event, these kind of exceptions based on specific header names
> makes it hard to create a generic API.
> ...

   Location: a,b

is *not* a single header with "multiple" values. It's perfectly legal, 
as "," is legal in a URI reference.

As Mark stated, you can't split on "," unless you understand the syntax 
of the header field.

Best regards, Julian
Received on Wednesday, 20 January 2016 12:53:34 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 20 January 2016 12:53:34 UTC