{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 看我几分像从前 的问题《Is HTTP Content-Length Header Safe to Trust?》','https://www.manongdao.com/q-834302.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Is it safe to trust the Content-Length HTTP header? According to the MDN docs it is a Forbidden header name. If I go to that page it says the following.
Modifying such headers is forbidden because the user agent retains full control over them.
But wouldn't there still be a way to spoof these values if you control the user agent?
I'm just trying to figure out how safe it is to trust those headers on that Forbidden header name page and if they are able to be spoofed at all.
Given the scenario you describe, yes it's possible for a client to set the incorrect Content-Length. There is no guarantee that it's correct.
If
Content-Lengthis too large, a server might wait and time-out to get the remainder of the data. If it's too small, the server might cut the TCP connection before the entire body came in, or in the case ofConnection: Keep-Alivethe server might assume the client started another HTTP request, get confused and send a bad request response.