Chrome Version:
Chromium	50.0.2661.102 (Developer Build) Ubuntu 16.04 (64-bit)
Revision	496034c629901db4564ba5613e2d736635eeb082
OS	Linux 
Blink	537.36 (@496034c629901db4564ba5613e2d736635eeb082)

Other browsers tested:
  Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
     Safari:
    Firefox: OK
         IE: OK

What steps will reproduce the problem?

(1) Set up a server to serve a http-response with a header containing a '\n' character. Eg a 302 with:
Location: /redirect_after_signin?next=/foo\nSet-Cookie:Foo=Bar


What is the expected result?

(2) Chrome will parse the response for headers, splitting on [\r\n]+, instead of '\r\n' as specified in https://tools.ietf.org/html/rfc2616#section-6

(3) Chrome has now allowed a https://www.owasp.org/index.php/HTTP_Response_Splitting attack, if the unsanitized input in question is only sanitized for '\r\n', and not for naked '\n's.


What happens instead?

(1) The Example response will set a cookie.

IE and Firefox will not set a cookie with the same response.


Please provide any additional information below. Attach a screenshot if
possible:

This led to a security problem in a server that pushed unsantized user input into pythons webob.exc.HTTPFound(location=foobar). This has been fixed in webob as of a later version.

The existence of this bug is hinted upon by ericroman here: https://github.com/nwjs/chromium.src/commit/036d87726035ac500ba35ab41fdc9ef6128f0e4f#diff-f51b20e917be65b657c94752be485b58R302