Malware modifies request which causes bad request

[RobertLarsen]

We are experiencing a problem with clients with new laptops that come with different types of "vender supplied" malware. The malware modifies browser requests and for websockets it inserts a 'Connection: keep-alive' header into the stream:

GET /ws-xmpp/ HTTP/1.1
Host: chat.cego.dk
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Connection: Upgrade
Origin: http://robert.dev.komogvind.dk
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: da-DK,da;q=0.8,en-US;q=0.6,en;q=0.4
Sec-WebSocket-Key: E4OlnWChwDS3ClHpQnyIEg==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Sec-WebSocket-Protocol: xmpp

HTTP/1.1 400 Bad Request
connection: keep-alive
server: Cowboy
date: Wed, 14 Jan 2015 09:10:05 GMT
content-length: 0

The problem goes away if we help the user run antivirus, but this is time consuming. As you can see the 'Connection: Upgrade' header is still there. Would it be "bad design" to disregard the 'Connection: keep-alive' if 'Connection: Upgrade' is present?

[fenek]

Well, multiple Connection headers are valid from HTTP point of view so I think we should indeed support them.