Rack is the root of the problem. Chrome uses n internally as a delimiter for “arrays of cookies” so it blocks n-based injections, but r-based are working fine. This means all web ruby software relying on Rack headers validation is vulnerable to header injection. Even Rails, they have “monkey patch” removing �rn from “Location” header, but the rest of headers stay untouched. When browser sees non-empty Location it ignores all other headers but Set-Cookie.”]
Source: http://homakov.blogspot.com/2014/01/header-injection-in-sinatra.html