Bug 294715

Summary: Service Worker update requests have a malformed referer (referer: https:)
Product: WebKit Reporter: xss
Component: Service WorkersAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, ahmad.saleem792, beidson, cdumez, karlcow, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Safari 18   
Hardware: Mac (Apple Silicon)   
OS: macOS 15   

xss
Reported 2025-06-18 23:30:27 PDT
When a service worker is first loaded the referer for the service worker javascript is sent correctly (eg https://horus.sondehub.org/) however the update requests seem to have malformed referer - "https:" . This could trigger a 500 Internal Server Error if the backend raises an error while processing the referer preventing it from being updated. Additionally no logging in the console occurred to indicate an error fetching the service worker. Since the service worker update requests aren't shown in the developer tools it has to be monitored either from the backend or using a mitmproxy. For the below example I used "mitmproxy --mode local". An example website is "https://horus.sondehub.org/". You can observe that the first service worker install request headers are correct. Then close the tab and open a new tab to the same location ("https://horus.sondehub.org/") and it will show referer set to "https:". Where I work can see this issue occurring across iOS and Safari requests - While Chrome and Firefox are unaffected. The below test was performed on `15.5 (24F74)` and `Version 18.5 (20621.2.5.11.8)` In the example I expect the second request to have the referer header set to https://horus.sondehub.org/ or not set at all. First request (service worker unregistered): GET https://18.155.88.109/sw.js HTTP/2.0 Detail sec-fetch-site: same-origin accept: */* cache-control: max-age=0 if-none-match: W/"0f7f8371002ecf9d8f15f06503a59100" sec-fetch-mode: same-origin if-modified-since: Sat, 14 Jun 2025 22:56:29 GMT user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15 referer: https://horus.sondehub.org/ sec-fetch-dest: serviceworker service-worker: script accept-language: en-AU,en;q=0.9 priority: u=3, i accept-encoding: gzip, deflate, br Second load (service worker registered) GET https://18.155.88.109/sw.js HTTP/2.0 Detail user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15 referer: https: origin: https://horus.sondehub.org service-worker: script accept: */* accept-language: en-AU,en;q=0.9 priority: u=5, i accept-encoding: gzip, deflate, br No request content
Attachments
Add attachment proposed patch, testcase, etc.
xss
Comment 1 2025-06-18 23:31:52 PDT
Additional Information: Workbox is being used for the service worker, however I don't believe its configuration plays a part in the issue.
Radar WebKit Bug Importer
Comment 2 2025-06-25 23:31:13 PDT
<rdar://problem/154364616>
youenn fablet
Comment 3 2025-06-26 08:06:47 PDT
Pull request: https://github.com/WebKit/WebKit/pull/47240
EWS
Comment 4 2025-06-26 23:49:59 PDT
Committed 296710@main (7a0a88ad50af): <https://commits.webkit.org/296710@main> Reviewed commits have been landed. Closing PR #47240 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.