Firefox fails to implement JavaScript POST redirection like all other browsers

NEW
Unassigned

Status

()

P4
normal
11 months ago
10 months ago

People

(Reporter: bugreporter, Unassigned)

Tracking

59 Branch
Points:
---

Firefox Tracking Flags

(firefox60 affected, firefox62 affected)

Details

Attachments

(1 attachment)

(Reporter)

Description

11 months ago
Posted file postRedirection.js
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Steps to reproduce:

All browsers other than Firefox (Chrome, Edge, IE, Safari) interpret an HTML page with no content other than a script that creates and posts a form as a JavaScript POST redirection, replacing the URL of the page with the target of the POST (the value of the action attribute of the form) in the browser history.  Firefox keeps the URL in the history, so that a click on the back button after the POST replays the POST.  The attached file is a Node.js application that demonstrates this.  Run it, visit Page 1 at /page1.html and submit the form.  This causes a POST request to /postTarget, which responds with a JavaScript POST rediretion to Page 2 at /page2.html.  After reaching Page 2, click the back button.


Actual results:

As can be seen in the browser console, clicking the back button results in a replay of the script at /postTarget and a return to Page 2.  The user is stuck at Page 2 and cannot go back to earlier pages using the back button.  Worse, the replay of the back button can have consequences unforeseen by the developer, like executing a payment transaction twice.


Expected results:

Clicking the back button at Page 2 should go to Page 1.  Chrome, Edge, IE and Safari do this.  Many developer forums recommend implementing POST redirection as exemplified in the attachment, but developers are not aware the Firefox does not implement it like the other browsers.
This issue occurs as explained by the reporter:
After running the node.js app provided by the reporter and trying the steps provided by him in any of the 3 main Mozilla version (nightly - v62.0a1, beta - 60.0, release - 59.0.3), the issue is reproduced (after clicking the browser's back button on page 2, the user is not redirected to page 1, but back to page 2).
This issue does not occur on the Chrome browser.
Status: UNCONFIRMED → NEW
status-firefox60: --- → affected
status-firefox62: --- → affected
Component: Untriaged → Document Navigation
Ever confirmed: true
Product: Firefox → Core
I don't find anything in the spec that says to omit a history entry if a script navigates away from the page before the load completes. Is there such spec language? Should there be?
Flags: needinfo?(annevk)
Priority: -- → P4

Comment 3

11 months ago
I don't think so and maybe; in large part this is also governed by UI choices that are very much up to the user agent. However, if this is a prevalent pattern as indicated by OP it should probably be covered.
Flags: needinfo?(annevk)
(Reporter)

Comment 4

10 months ago
(In reply to Henri Sivonen (:hsivonen) from comment #2)
> I don't find anything in the spec that says to omit a history entry if a
> script navigates away from the page before the load completes. Is there such
> spec language? Should there be?

After some additional experimentation, it seems that the issue is not whether to omit the URL of the current page from the history, but whether to replace it with the target URL of POST request.  Please see the blog post https://pomcor.com/2018/05/16/a-bypass-of-the-firefox-post-redirection-bug/
You need to log in before you can comment on or make changes to this bug.