Process only the first Strict-Transport-Security header.

net/http/http_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // The rules for parsing content-types were borrowed from Firefox:
 // http://lxr.mozilla.org/mozilla/source/netwerk/base/src/nsURLHelper.cpp#834
 
 #include "net/http/http_util.h"
 
 #include <algorithm>
@@ skipping 374 matching lines @@
   const char* kNonCoalescingHeaders[] = {
     "date",
     "expires",
     "last-modified",
     "location",  // See bug 1050541 for details
     "retry-after",
     "set-cookie",
     // The format of auth-challenges mixes both space separated tokens and
     // comma separated properties, so coalescing on comma won't work.
     "www-authenticate",
-    "proxy-authenticate"
+    "proxy-authenticate",
+    // Perhaps incorrectly, Strict-Transport-Security specifies that UAs not
+    // process any STS headers after the first one. To enforce this, we must
+    // declare it non-coalescing.

[Ryan Sleevi, 2012/10/18 19:45:34]

comment nit: A nit I inherited from mark@, which is to discourage "we" in
comments. I find this is generally good, as it forces comments to be more
assertative.

// STS specifies that UAs must not process any STS headers after the first one.

[palmer, 2012/10/18 21:01:58]

Done.

+    "strict-transport-security"
   };
   for (size_t i = 0; i < arraysize(kNonCoalescingHeaders); ++i) {
     if (LowerCaseEqualsASCII(name_begin, name_end, kNonCoalescingHeaders[i]))
       return true;
   }
   return false;
 }
 
 bool HttpUtil::IsLWS(char c) {
   return strchr(HTTP_LWS, c) != NULL;
@@ skipping 511 matching lines @@
       value_is_quoted_ = true;
       // Do not store iterators into this. See declaration of unquoted_value_.
       unquoted_value_ = HttpUtil::Unquote(value_begin_, value_end_);
     }
   }
 
   return true;
 }
 
 }  // namespace net