[whatwg] First or last Content-Type header?
Anne van Kesteren
annevk at opera.com
Fri Jun 5 01:49:12 PDT 2009
On Fri, 05 Jun 2009 10:44:25 +0200, Adam Barth <whatwg at adambarth.com> wrote:
> Based on this discussion, I'm not convinced there is a sufficiently
> compelling security rationale for convincing 4 out of 5 browsers to
> change their implementations. The only attack presented is a header
> injection attack. If I can inject headers into your HTTP responses, I
> can almost always perform a response splitting attack and obviate any
> protections we might hope to gain by using the first Content-Type
> header.
FWIW, if you look at other headers, e.g. Location, you may find the number shifting a little with respect to picking the first or last header in case of multiple Location headers. I forgot the specifics unfortunately, but I believe Opera was not consistent.
--
Anne van Kesteren
http://annevankesteren.nl/
More information about the whatwg
mailing list