[Webkit-unassigned] [Bug 201950] New: HTTP POST is losing application/x-www-form-urlencoded query component if there's a redirect to different host

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 18 15:12:24 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=201950

            Bug ID: 201950
           Summary: HTTP POST is losing application/x-www-form-urlencoded
                    query component if there's a redirect to different
                    host
           Product: WebKit
           Version: Safari 12
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: julio at monteiro.eti.br

SUMMARY:

Issuing HTTP POST with application/x-www-form-urlencoded query component (aka "form data", "request data" or "body data") and being redirected to a different host is causing the query component to be lost/removed/ignored.

REPRODUCTION STEPS:

1. Issue a HTTP POST with application/x-www-form-urlencoded query component to a page
2. In the page receiving the HTTP POST with application/x-www-form-urlencoded query component, return status HTTP 307 (temp redirect) to another page in a different domain or subdomain.
3. In this different domain or subdomain, receive the HTTP POST and print the application/x-www-form-urlencoded query component received.

EXPECTED RESULT: Correctly receive the application/x-www-form-urlencoded query component in the final page.

ACTUAL RESULT: application/x-www-form-urlencoded query component isn't received, although the request is kept as HTTP POST.

PROOF OF CONCEPT:
1. Open https://redirection-experiment.herokuapp.com on Safari/WebKit
2. It will redirect you to a different domain (redirection-experiment-landing.herokuapp.com)
3. You'll notice that the application/x-www-form-urlencoded query component `content=something` isn't sent to the different host redirection-experiment-landing.herokuapp.com in the end.

Source code can be found at https://github.com/jmonteiro/redirection-experiment/blob/master/app.rb (for https://redirection-experiment.herokuapp.com) and https://github.com/jmonteiro/redirection-experiment-landing/blob/master/app.rb (for https://redirection-experiment-landing.herokuapp.com).

Repeat the same process on any other browsers (such as Firefox, Chrome, etc) and this issue will not happen.

NOTES:
 * Confirmed on Safari 12.1.2 (14607.3.9) for macOS, Safari for iOS (iOS v 12.4.1), and Webkit build r250050. Tested on other browsers (latests from Chrome for macOS and Windows, Firefox for macOS and Windows, Brave for macOS and Windows, Edge and Internet Explorer) and they are not affected by this issue.
 * This appears only to happen when the host changes. If the same steps are taken in the same host, the issue won't happen.
 * Documentation on MDN specifies that for the 307 redirection, "The method and the body of the original request are reused to perform the redirected request." (source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307)
 * Looking at the RFC 7231 Section 6.4.7 regarding 307 status, there's no mention about the application/x-www-form-urlencoded query component being either kept or ignored, so I'm not sure if this is just a de-facto standard among browsers, or if this is documented somewhere. (source: https://tools.ietf.org/html/rfc7231#section-6.4.7)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190918/19a651e6/attachment-0001.html>

More information about the webkit-unassigned mailing list