303475 2025-12-03 07:22:37 -0800 HTTPS 307 redirect forgets POST body after accepting certificate warning 2025-12-10 07:23:11 -0800 1 1 1 Unclassified WebKit Page Loading Safari 26 Mac (Apple Silicon) iOS 26 NEW InRadar P2 Normal --- 1 alexander.zeijlon webkit-unassigned achristensen ap beidson ossman webkit-bug-importer oldest_to_newest 2162917 0 477598 alexander.zeijlon 2025-12-03 07:22:37 -0800 Created attachment 477598 redirect-servers.py starts two Python Flask apps. Go to http://127.0.0.1:5000/ and post the form to see the faulty behavior in Safari. Steps to reproduce: 1. Set up "Server A" (HTTP) and "Server B" (HTTPS with a self-signed/untrusted certificate). 2. Configure Server A to respond to a POST request at /redir with HTTP 307 Temporary Redirect and a Location header pointing to https://ServerB/target. 3. Ensure the certificate for Server B is NOT currently in the browser's exception list (clear recent history/site preferences if necessary). 4. Open Firefox Network Monitor (DevTools). 5. Create an HTML form to send a POST request with a body (e.g., {"data": "FORM POST DATA"}) to http://ServerA/redir. 6. Submit the form. Firefox will block the redirect and show the "Potential Security Risk Ahead" page for Server B. 7. Click "Advanced" -> "Accept the Risk and Continue". 8. Observe the method of the request sent to Server B in the Network Monitor or server logs. See attached example servers written in Python (Flask). Actual results: Firefox resumes the request to the target URL but changes the HTTP method from POST to GET and discards the request body. Expected results: The request to https://ServerB/target should be a POST request containing the original body data. According to RFC 7231, a 307 redirect MUST NOT allow the method to change unless the user explicitly confirms it. In this specific case, the user is confirming the certificate exception, not a change in HTTP method. The expectation is that once the security exception is granted, the original request (POST + Body) is replayed exactly as intended by the 307 status code. See https://datatracker.ietf.org/doc/html/rfc7231#section-6.4.7 Note that Google Chrome and MS Edge seem to work as explained above, while Epiphany and Safari (WebKit browsers) and Firefox have similar faulty behaviors. 2163208 1 alexander.zeijlon 2025-12-04 05:40:27 -0800 Apologies! I just realized that there are plenty of references to Firefox in the problem description. These should of course say "Safari". (The bug was reported to both WebKit and Mozilla, hence the mistake.) 2163523 2 alexander.zeijlon 2025-12-05 00:23:25 -0800 I tried to work around this by making the form post directly to the Location header's URL instead of setting the Location header, <form action="https://ServerB/target" method="post">. But this also does not work. The request is changed to a GET, and the request body is lost. In this instance, it looks like Safari/WebKit is the only browser engine that changes the method when it encounters an untrusted certificate. 2164794 3 webkit-bug-importer 2025-12-10 07:23:11 -0800 <rdar://problem/166225292> 477598 2025-12-03 07:22:37 -0800 2025-12-05 00:15:40 -0800 redirect-servers.py starts two Python Flask apps. Go to http://127.0.0.1:5000/ and post the form to see the faulty behavior in Safari. redirect-servers.py text/x-python 1189 alexander.zeijlon IyEvdXNyL2Jpbi9lbnYgcHl0aG9uMwoKaW1wb3J0IHRocmVhZGluZwpmcm9tIGZsYXNrIGltcG9y dCBGbGFzaywgcmVkaXJlY3QsIHVybF9mb3IsIHJlcXVlc3QKCmFwcDEgPSBGbGFzaygiYXBwMSIp CmFwcDIgPSBGbGFzaygiYXBwMiIpCgpGT1JNPSIiIgo8Zm9ybSBhY3Rpb249Ii9yZWRpciIgbWV0 aG9kPSJwb3N0Ij4KICA8bGFiZWwgZm9yPSJmbmFtZSI+UE9TVCBEQVRBOjwvbGFiZWw+CiAgPGlu cHV0IHR5cGU9InRleHQiIG5hbWU9ImRhdGEiIHZhbHVlPSJGT1JNIFBPU1QgREFUQSI+PGJyPgog IDxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJTdWJtaXQiPgo8L2Zvcm0+CiIiIgoKQGFwcDEu cm91dGUoIi8iKQpkZWYgaW5kZXgxKCk6CiAgICByZXR1cm4gRk9STQoKQGFwcDEucm91dGUoIi9y ZWRpciIsIG1ldGhvZHM9WyJHRVQiLCAiUE9TVCJdKQpkZWYgcmVkaXJlY3RfcGF0aCgpOgogICAg cmV0dXJuIHJlZGlyZWN0KCJodHRwczovLzEyNy4wLjAuMTo1MDAxLyIsIGNvZGU9MzA3KQoKQGFw cDIucm91dGUoIi8iLCBtZXRob2RzPVsiR0VUIiwgIlBPU1QiXSkKZGVmIGluZGV4MigpOgogICAg aWYgcmVxdWVzdC5tZXRob2QgIT0gIlBPU1QiOgogICAgICAgIHJldHVybiBmIkV4cGVjdGVkIG1l dGhvZCB0byBiZSAnUE9TVCcsIHdhcyB7cmVxdWVzdC5tZXRob2Qhcn0iCiAgICByZXR1cm4gZiJS ZWNlaXZlZDoge3JlcXVlc3QuZm9ybVsnZGF0YSddIXJ9IgoKaWYgX19uYW1lX18gPT0gIl9fbWFp bl9fIjoKICAgIHRocmVhZDEgPSB0aHJlYWRpbmcuVGhyZWFkKAogICAgICAgIHRhcmdldD1hcHAx LnJ1biwKICAgICAgICBrd2FyZ3M9eyJob3N0IjogIjAuMC4wLjAiLCAicG9ydCI6IDUwMDB9CiAg ICApCiAgICB0aHJlYWQyID0gdGhyZWFkaW5nLlRocmVhZCgKICAgICAgICB0YXJnZXQ9YXBwMi5y dW4sCiAgICAgICAga3dhcmdzPXsiaG9zdCI6ICIwLjAuMC4wIiwgInBvcnQiOiA1MDAxLCAic3Ns X2NvbnRleHQiOiAiYWRob2MifQogICAgKQoKICAgIHRocmVhZDEuZGFlbW9uID0gVHJ1ZQogICAg dGhyZWFkMi5kYWVtb24gPSBUcnVlCgogICAgdGhyZWFkMS5zdGFydCgpCiAgICB0aHJlYWQyLnN0 YXJ0KCkKCiAgICB0cnk6CiAgICAgICAgdGhyZWFkMS5qb2luKCkKICAgICAgICB0aHJlYWQyLmpv aW4oKQogICAgZXhjZXB0IEtleWJvYXJkSW50ZXJydXB0OgogICAgICAgIHBhc3MKCg==