Comment 10 for bug 737311

The h= discussion in 3.5 is even stronger. "The field MUST contain the complete list of header fields in the order presented to the signing algorithm." Those two together (3.5 and 3.7) I think mean it has to be first to last. (nevermind if i misunderstood your comment, I didn't check the code).