Process only the first Strict-Transport-Security header.

net/http/http_util.cc

Index: net/http/http_util.cc
===================================================================
--- net/http/http_util.cc	(revision 161880)
+++ net/http/http_util.cc	(working copy)
@@ -392,7 +392,11 @@
     // The format of auth-challenges mixes both space separated tokens and
     // comma separated properties, so coalescing on comma won't work.
     "www-authenticate",
-    "proxy-authenticate"
+    "proxy-authenticate",
+    // Perhaps incorrectly, Strict-Transport-Security specifies that UAs not
+    // process any STS headers after the first one. To enforce this, we must
+    // declare it non-coalescing.

[Ryan Sleevi, 2012/10/18 19:45:34]

comment nit: A nit I inherited from mark@, which is to discourage "we" in
comments. I find this is generally good, as it forces comments to be more
assertative.

// STS specifies that UAs must not process any STS headers after the first one.

[palmer, 2012/10/18 21:01:58]

Done.

+    "strict-transport-security"
   };
   for (size_t i = 0; i < arraysize(kNonCoalescingHeaders); ++i) {
     if (LowerCaseEqualsASCII(name_begin, name_end, kNonCoalescingHeaders[i]))