Bug 258195

Summary: Service Worker: Redirect loses hash fragment
Product: WebKit Reporter: Lauritz <webkit>
Component: Service WorkersAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, cdumez, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Safari 16   
Hardware: Unspecified   
OS: Unspecified   

Lauritz
Reported 2023-06-16 02:56:58 PDT
Hi there! Apparently Webkit has a comparable issue to: https://bugzilla.mozilla.org/show_bug.cgi?id=1420672 Redirects which include hash fragments and that are intercepted by Service Workers lose their fragment. ## Proof of concept register_worker.html ```html <script> if ("serviceWorker" in navigator) { navigator.serviceWorker.register("/sw.js") } ``` sw.js ```javascript self.addEventListener("fetch", (event) => { console.log("fetch event"); event.respondWith(fetch(event.request)); }); ``` /index.php ```php <?php header('Location: /test.html',true,301); exit(); ``` test.html ```javascript <script>alert(window.location)</script> ``` ### Steps to reproduce 1. Browse /index.php#test => Observe that redirect keeps fragment as expected 2. Browse /register_worker.html to Register Service worker 3. Browse /index.php#test => Observe that redirect lose fragment
Attachments
Add attachment proposed patch, testcase, etc.
Lauritz
Comment 1 2023-06-16 03:12:55 PDT
After filing this as non-security issue at first, I think there could be potential security implications I have not thought of at first. For instance, in the context of OAuth/OIDC ("implicit flow"/"response_mode=fragment"), where sensitive information is passed between parties using the url hash fragment. At the very least, this behavior could break an SSO login flow.
Radar WebKit Bug Importer
Comment 2 2023-06-23 02:57:15 PDT
<rdar://problem/111208014>
youenn fablet
Comment 3 2023-07-05 08:10:36 PDT
Pull request: https://github.com/WebKit/WebKit/pull/15565
EWS
Comment 4 2023-07-07 08:33:49 PDT
Committed 265845@main (e4b3080bb04a): <https://commits.webkit.org/265845@main> Reviewed commits have been landed. Closing PR #15565 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.