[w3c/ServiceWorker] Can service workers mess with POST variables? (#1378) from Pedro Heliodoro on 2018-12-25 (public-webapps-github@w3.org from December 2018)

From: Pedro Heliodoro <notifications@github.com>
Date: Tue, 25 Dec 2018 07:20:28 -0800
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1378@github.com>

Hello all, I have ran into a strange situation.

In an simple form submission with method POST, I have noted that my $_POST ( php ) variables were missing. I went to great lengths to find out that a service worker which stores an offline page and image was the one at fault.

I will start by stating my testing procedures:

Client side: Chrome Version 71.0.3578.98 (official build) (64 bits)

Server Side: Centos, Apache 2.4 serving HTT2 protocol.

Website: SSL Enabled with RewriteRules in place.

Server code: two clean pages. one page posting to a ssl and non-ssl secured page. Second page was dumping $_POST, $_REQUEST, file_get_contents("php://input") and $_SERVER

Issue: Submit https://site.com/test.php to https://site.com/test2.php and https://site.com/test.php to http://site.com/test2.php

Results: No POST vars present.

The homepage is the one that installs the worker but since it is still present in the browser, I believe it was the reason that it was messing with my POST requests, since I removed it from the browser and retried to submit with success.

I had tried previously to check for faults in the code, in .htaccess, but other websites had the same or similar rules and were working.

Even php://input was empty. That's when I found out that a $_SERVER["HTTP_REFERRER"] was the worker file.which struck me as odd as it should be the previous page that contained the form. Even weirder was that when I pressed refresh, the browser kept asking me to resubmit the form data.

Do you have any idea why this was happening?
Here is the worker code:
https://gist.github.com/jarodium/90edfbaa8caf912b2c9a6039554dfb0b

From what I can make of, it should not interfere with posts, but from what I have read on other websites, Redirects can mess with POST variables, so I believe the worker was somehow redirecting and messing with the variables? I took the code from an example on the web but seens harmful at first sigth.

Thank you in advance.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1378

Received on Tuesday, 25 December 2018 15:20:50 UTC