[whatwg] First or last Content-Type header?

Anne van Kesteren annevk at opera.com
Fri Jun 5 01:49:12 PDT 2009


On Fri, 05 Jun 2009 10:44:25 +0200, Adam Barth <whatwg at adambarth.com> wrote:
> Based on this discussion, I'm not convinced there is a sufficiently
> compelling security rationale for convincing 4 out of 5 browsers to
> change their implementations.  The only attack presented is a header
> injection attack.  If I can inject headers into your HTTP responses, I
> can almost always perform a response splitting attack and obviate any
> protections we might hope to gain by using the first Content-Type
> header.

FWIW, if you look at other headers, e.g. Location, you may find the number shifting a little with respect to picking the first or last header in case of multiple Location headers. I forgot the specifics unfortunately, but I believe Opera was not consistent.


-- 
Anne van Kesteren
http://annevankesteren.nl/



More information about the whatwg mailing list