Rack is the root of the problem. Chrome uses n internally as a delimiter for “arrays of cookies” so it blocks n-based injections, but r-based are working fine. This means all web ruby software relying on Rack headers validation is vulnerable to header injection. Even Rails, they have “monkey patch” removing rn from “Location” header, but the rest of headers stay untouched. When browser sees non-empty Location it ignores all other headers but Set-Cookie.”]
Source: http://homakov.blogspot.com/2014/01/header-injection-in-sinatra.html