[whatwg] First or last Content-Type header?

Julian Reschke julian.reschke at gmx.de
Tue Jun 2 00:19:08 PDT 2009


Adam Barth wrote:
> 2009/6/1 Bil Corry <bil at corry.biz>:
>> Den.Molib wrote on 6/1/2009 4:55 PM:
>>> follow the last one, as it's the one provided nearer the content.
>> And by the same logic, the header closest to the content could be the one that was injected by an attacker (via application hole) -- so might choosing the first header be more prudent?
> 
> If your site is vulnerable to header splitting, then you have bigger
> problems than injecting a Content-Type header.
> 
> In any case, the four major browsers that actually look at the
> Content-Type header agree and use the last header.  The only browser
> that uses the first header more or less ignores it anyway.

Could you clarify that last point?

Are you talking about IE? Which version?

BR, Julian



More information about the whatwg mailing list