1630782 - form POST to another window/tab intercepted and rewrotten as a GET

Status: RESOLVED DUPLICATE of bug 1629441

(Core :: DOM: Core & HTML, defect)

Description

[Benoit Plessis]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0

Steps to reproduce:

We have a webapp that include forms targetted at another application, setup to be openned in another tab/window (target="_blank").

Example:
<h1>Form into blank tab</h1>
<form method="POST" action="https://httpbin.org/post" target="_blank">
<input type="hidden" name="login" value="l0g1n">
<input type="hidden" name="password" value="p@ss0rd">
<input type="submit" name="sub" />
</form>

This setup work fine up to 74.0.1 but started to deteriorate with 75.0.0, in some conditions.

I'm not 100% sure of the cause, but the issue seem directly related to the "Local Files" admx gpo, or the corresponding preferences:

capability.policy.policynames localfilelinks_policy
capability.policy.localfilelinks_policy.checkloaduri.enabled allAccess
capability.policy.localfilelinks_policy.sites https://webapplication.url

In some case, some tweaking around "network.negotiate-auth.trusted-uris" was also necessary to reproduce the issue.

Funnyly enough, embedding the webapplication within another webapp (using iframe) prevent the issue.

Also POST-ing without a target is fine:

<h1>Form in local tab</h1>
<form method="POST" action="https://httpbin.org/post">
<input type="hidden" name="login" value="l0g1n">
<input type="hidden" name="password" value="p@ss0rd">
<input type="submit" name="sub" />
</form>

Actual results:

In the example above, httpbin reply "Method Not Allowed" because the initial POST is silently replaced by a GET.

Expected results:

Good old valid POST request

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Comment 4

[Benoit Plessis]

Crap sorry i missed it, i did two search and missed :(