On 2016-01-20 09:30, Anne van Kesteren wrote:
On Tue, Jan 19, 2016 at 9:16 PM, Honza Bambas <hbam...@mozilla.com> wrote:
Merging of certain headers is in Gecko prohibited for security reasons
(injection attacks). We explicitly hard-fail the response when there is
more than one instance of Content-Length, Content-Disposition or Location.
Hence merging e.g. Location is a very bad idea.
That sounds like a simplification. At least, last time I looked into
this we allowed multiple Location headers, if they contained the same
URL (after parsing). And also, if it were a "single" header with
multiple values, we did not treat it as an error. E.g., Location: a,b
at URL /relative/ causes a redirect to /relative/a,b (maybe we should
break this though, I haven't investigated if this is interoperable).
In any event, these kind of exceptions based on specific header names
makes it hard to create a generic API.
...
Location: a,b
is *not* a single header with "multiple" values. It's perfectly legal,
as "," is legal in a URI reference.
As Mark stated, you can't split on "," unless you understand the syntax
of the header field.
Best regards, Julian
