Whether Google will always use the url from rel=canonical as the preferred url? “The answer is that we take rel=canonical urls as a strong hint, but in some cases we won’t use them: for e.g., if you’re pointing a rel=canonical toward a non-existent/404 page, we’d reserve the right not to use the destination url you specify with rel=canonical.
Also, we might not go with your rel=canonical preference: if we think your website has been hacked and the hacker added a malicious rel=canonical,” explains Matt Cutts.
Another example cited: “should Google trust rel=canonical if we see it in the body of the HTML? The answer is no, because some websites let people edit content or HTML on pages of the site. If Google trusted rel=canonical in the HTML body, we’d see far more attacks where people would drop a rel=canonical on part of a web page to try to hijack it.”
“Finally, if Google see weird stuff in HEAD section — such as, if you insert regular text or other tags that normally only are part of BODY section into the HEAD — Google mightn’t trust rel=canonical in those cases. Because, they don’t allow rel=canonical in the BODY.”
Cutts advises that “as long as your HEAD looks fairly normal, things should be fine. If you really want to be safe, you can make sure that the rel=canonical is the first or one of the first things in the HEAD section. Again, things should be fine either way, but if you want an easy rule of thumb: put the rel=canonical toward the top of the HEAD.”
[Source: Matt Cutts]