Safari treat CR alone in response header as end-of-line. [nginx.conf] add_header X-header 'foo\rSet-Cookie: var=exploit'; This will set the cookie's value. In rfc2616, CR alone in headers is not spec'd. But I think it is difficult for application developers to recognize needs to escape CR alone in response header referencing rfc2616. I think it is better to disallow CR alone as end-of-line. f I've also opened this issue in chromium bug-trackers. https://bugs.chromium.org/p/chromium/issues/detail?id=619579
HTTP is implemented in Apple frameworks below WebKit. Could you please file a bug for Apple to take a look via <https://bugreport.apple.com>?
Thank you. I'll report it to apple.