- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 20 Jan 2016 13:52:29 +0100
- To: Anne van Kesteren <annevk@annevk.nl>, Honza Bambas <hbambas@mozilla.com>
- Cc: Ryan Sleevi <sleevi@google.com>, Patrick McManus <pmcmanus@mozilla.com>, Mark Nottingham <mnot@mnot.net>, Youenn Fablet <youennf@gmail.com>, Takeshi Yoshino <tyoshino@google.com>, Jacob Rossi <Jacob.Rossi@microsoft.com>, Alex Christensen <achristensen@webkit.org>, Edward O'Connor <hober@apple.com>, Ben Kelly <bkelly@mozilla.com>, Nikki Bee <nikkicubed@gmail.com>, www-archive <www-archive@w3.org>
On 2016-01-20 09:30, Anne van Kesteren wrote: > On Tue, Jan 19, 2016 at 9:16 PM, Honza Bambas <hbambas@mozilla.com> wrote: >> Merging of certain headers is in Gecko prohibited for security reasons >> (injection attacks). We explicitly hard-fail the response when there is >> more than one instance of Content-Length, Content-Disposition or Location. >> Hence merging e.g. Location is a very bad idea. > > That sounds like a simplification. At least, last time I looked into > this we allowed multiple Location headers, if they contained the same > URL (after parsing). And also, if it were a "single" header with > multiple values, we did not treat it as an error. E.g., Location: a,b > at URL /relative/ causes a redirect to /relative/a,b (maybe we should > break this though, I haven't investigated if this is interoperable). > In any event, these kind of exceptions based on specific header names > makes it hard to create a generic API. > ... Location: a,b is *not* a single header with "multiple" values. It's perfectly legal, as "," is legal in a URI reference. As Mark stated, you can't split on "," unless you understand the syntax of the header field. Best regards, Julian
Received on Wednesday, 20 January 2016 12:53:34 UTC