On Tue, Jun 2, 2009 at 9:25 AM, Bil Corry <bil at corry.biz> wrote: > It's less likely to occur legitimately, but more likely to occur under a header injection scenario. As I wrote before in this thread, if the attacker can inject headers, there are far more severe attacks than changing the type of an HTTP response. Adam