Re: HTTP header representation in Fetch

On 2016-01-20 09:30, Anne van Kesteren wrote:
> On Tue, Jan 19, 2016 at 9:16 PM, Honza Bambas <hbambas@mozilla.com> wrote:
>> Merging of certain headers is in Gecko prohibited for security reasons
>> (injection attacks).  We explicitly hard-fail the response when there is
>> more than one instance of Content-Length, Content-Disposition or Location.
>> Hence merging e.g. Location is a very bad idea.
>
> That sounds like a simplification. At least, last time I looked into
> this we allowed multiple Location headers, if they contained the same
> URL (after parsing). And also, if it were a "single" header with
> multiple values, we did not treat it as an error. E.g., Location: a,b
> at URL /relative/ causes a redirect to /relative/a,b (maybe we should
> break this though, I haven't investigated if this is interoperable).
> In any event, these kind of exceptions based on specific header names
> makes it hard to create a generic API.
> ...

   Location: a,b

is *not* a single header with "multiple" values. It's perfectly legal, 
as "," is legal in a URI reference.

As Mark stated, you can't split on "," unless you understand the syntax 
of the header field.

Best regards, Julian

Received on Wednesday, 20 January 2016 12:53:34 UTC