[langsec-discuss] secure parser differential advice from "Tangled Web"
daira at jacaranda.org
Thu Jan 15 16:09:30 UTC 2015
On 13/01/15 06:09, Nils Dagsson Moskopp wrote:
> Repeated header lines in HTTP are only allowed if they can be combined
> as a legitimate comma-separated list value. See RFC 7320, Section 3.2.2:
>> A sender MUST NOT generate multiple header fields with the same field
>> name in a message unless either the entire field value for that
>> header field is defined as a comma-separated list [i.e., #(values)]
>> or the header field is a well-known exception (as noted below).
This isn't sufficient because it doesn't say how a parser should interpret
noncompliant repeated header fields; only that a sender must not generate
Daira Hopwood ⚥
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: OpenPGP digital signature
More information about the langsec-discuss