From #416.

Browsers seem to act upon partial response header blocks, which might introduce security issues. In particular, some will follow a redirect without getting the final separating \n, either upon a timeout or connection close.

For example, given:

printf "HTTP/1.1 301 Redirect\nLocation: https://evil.com/\n" | nc -l -p 8002 -c

Firefox 51 and Chrome 55 will redirect to evil.com upon connection close (-c).

Safari 10 will also navigate to evil.com upon connection close, although there appears to be a timer or race condition; you have to omit -c and manually kill nc after the request is sent.

HTTP talks about this here:

If a response terminates in the middle of the header section (before the empty line is received) and the status code might rely on header fields to convey the full meaning of the response, then the client cannot assume that meaning has been conveyed; the client might need to repeat the request in order to determine what action to take next.

cc @mcmanus