Hi there! Apparently Webkit has a comparable issue to: https://bugzilla.mozilla.org/show_bug.cgi?id=1420672 Redirects which include hash fragments and that are intercepted by Service Workers lose their fragment. ## Proof of concept register_worker.html ```html <script> if ("serviceWorker" in navigator) { navigator.serviceWorker.register("/sw.js") } ``` sw.js ```javascript self.addEventListener("fetch", (event) => { console.log("fetch event"); event.respondWith(fetch(event.request)); }); ``` /index.php ```php <?php header('Location: /test.html',true,301); exit(); ``` test.html ```javascript <script>alert(window.location)</script> ``` ### Steps to reproduce 1. Browse /index.php#test => Observe that redirect keeps fragment as expected 2. Browse /register_worker.html to Register Service worker 3. Browse /index.php#test => Observe that redirect lose fragment
After filing this as non-security issue at first, I think there could be potential security implications I have not thought of at first. For instance, in the context of OAuth/OIDC ("implicit flow"/"response_mode=fragment"), where sensitive information is passed between parties using the url hash fragment. At the very least, this behavior could break an SSO login flow.
<rdar://problem/111208014>
Pull request: https://github.com/WebKit/WebKit/pull/15565
Committed 265845@main (e4b3080bb04a): <https://commits.webkit.org/265845@main> Reviewed commits have been landed. Closing PR #15565 and removing active labels.