Summary: | Service Worker: Redirect loses hash fragment | ||
---|---|---|---|
Product: | WebKit | Reporter: | Lauritz <webkit> |
Component: | Service Workers | Assignee: | youenn fablet <youennf> |
Status: | RESOLVED FIXED | ||
Severity: | Normal | CC: | achristensen, cdumez, webkit-bug-importer, youennf |
Priority: | P2 | Keywords: | InRadar |
Version: | Safari 16 | ||
Hardware: | Unspecified | ||
OS: | Unspecified |
Description
Lauritz
2023-06-16 02:56:58 PDT
After filing this as non-security issue at first, I think there could be potential security implications I have not thought of at first. For instance, in the context of OAuth/OIDC ("implicit flow"/"response_mode=fragment"), where sensitive information is passed between parties using the url hash fragment. At the very least, this behavior could break an SSO login flow. Pull request: https://github.com/WebKit/WebKit/pull/15565 Committed 265845@main (e4b3080bb04a): <https://commits.webkit.org/265845@main> Reviewed commits have been landed. Closing PR #15565 and removing active labels. |