[Webkit-unassigned] [Bug 222558] [SOUP] HTTP method and version in web inspector network tab are not what WebKit actually sent

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 1 17:00:52 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=222558

Michael Catanzaro <mcatanzaro at gnome.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|[SOUP] Request headers in   |[SOUP] HTTP method and
                   |web inspector are not what  |version in web inspector
                   |WebKit actually sent        |network tab are not what
                   |                            |WebKit actually sent

--- Comment #4 from Michael Catanzaro <mcatanzaro at gnome.org> ---
(In reply to Michael Catanzaro from comment #3)
> This is a more complex issue than the example.com test, though, and it
> occurs on an internal domain that I can't share. I should set up a public
> test for it to see what is really happening.

OK I've confirmed this too. I'm attaching a SoupServer test case to this bug. Run the test server, open the web inspector to the network tab, check "Preserve log" so the redirect doesn't erase the logging, then point WebKit to http://127.0.0.1:8080/post_then_redirect and watch the magic happen. What actually happens is this: WebKit will send a GET to /post_then_redirect (request #1), loading a page that contains a form that will submit itself with a POST request (request #2). The test server will respond with a 302 redirect in response to the POST request. WebKit will then send a GET request (request #3) to the redirect URI. But what the network tab of the web inspector displays is different.

First, the network inspector shows request #2 as a GET request: it shows "GET /redirect". I will attach a screenshot to prove this. But at *no point* did WebKit ever send "GET /redirect": that's just totally made up by the web inspector! WebKit actually sent "POST /redirect HTTP/1.1". What the server received was:

POST /redirect HTTP/1.1
Host: 127.0.0.1:8080
Referer: http://127.0.0.1:8080/post_then_redirect
Origin: http://127.0.0.1:8080
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: Keep-Alive
Content-Length: 7
foobar=

(The Host line might be a libsoup artifact? I presume that isn't really sent. Not certain.)

Next, if I select Copy Request Headers in the web inspector, it copies request #3 (seems it always copies the final request, never the redirect), which was actually a GET request. But what it copies to my clipboard is a POST request! It copies this:

POST /
Referer: http://127.0.0.1:8080/post_then_redirect
Origin: http://127.0.0.1:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: Keep-Alive

But what the server actually received for the redirected request was this:

GET / HTTP/1.1
Host: 127.0.0.1:8080
Referer: http://127.0.0.1:8080/post_then_redirect
Origin: http://127.0.0.1:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: Keep-Alive

I decided to keep this as one bug for now, but can split it into three separate bugs if desired. Because it's really three issues: (1) web inspector doesn't display HTTP/1.1, (2) web inspector displays "GET /redirect" when WebKit really sent "POST /redirect" (screenshot will prove this), (3) web inspector copies "POST /" when WebKit really sent "GET / HTTP/1.1". Whether these are cross-platform bugs or soup backend bugs, I do not know.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210302/5f1b303c/attachment.htm>

More information about the webkit-unassigned mailing list