Google Chrome Reports “Duplicate headers received from server”

Chrome Duplicate Headers Message

It seems that this error message has been around since version 16 of Chrome, and was first reported sometime in 2011. The error message basically says that it received two Content-Disposition headers, and that the response was blocked to prevent HTTP response splitting attacks. However, in most cases this error isn’t caused by malicious code, but rather because of an innocuous comma in the filename parameter of the Content-Disposition header. Here’s an example of an actual response header I received while downloading a resume from a popular career site: Content-Disposition: attachment; filename=Beresky_Resume,6pg.docx That was the only Content-Disposition header in the entire response, which raises the question: Why is this a duplicate header? Because according to the HTTP 1.1 specification, section … Continue reading