[whatwg] First or last Content-Type header?
julian.reschke at gmx.de
Tue Jun 2 00:19:08 PDT 2009
Adam Barth wrote:
> 2009/6/1 Bil Corry <bil at corry.biz>:
>> Den.Molib wrote on 6/1/2009 4:55 PM:
>>> follow the last one, as it's the one provided nearer the content.
>> And by the same logic, the header closest to the content could be the one that was injected by an attacker (via application hole) -- so might choosing the first header be more prudent?
> If your site is vulnerable to header splitting, then you have bigger
> problems than injecting a Content-Type header.
> In any case, the four major browsers that actually look at the
> Content-Type header agree and use the last header. The only browser
> that uses the first header more or less ignores it anyway.
Could you clarify that last point?
Are you talking about IE? Which version?
More information about the whatwg