Open Bug 2003819 Opened 23 hours ago Updated 20 hours ago

HTTPS 307 redirect forgets POST body after accepting MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
Firefox 145
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: alexander.zeijlon, Unassigned)

Details

Attachments

(1 file)

redirect-servers.py starts two Python Flask apps. Go to http://127.0.0.1:5000/ and post the form to see the faulty behavior in Firefox.
1.16 KB, text/x-python
Details

Steps to reproduce:

  1. Set up "Server A" (HTTP) and "Server B" (HTTPS with a self-signed/untrusted certificate).
  2. Configure Server A to respond to a POST request at /redir with HTTP 307 Temporary Redirect and a Location header pointing to https://ServerB/target.
  3. Ensure the certificate for Server B is NOT currently in the browser's exception list (clear recent history/site preferences if necessary).
  4. Open Firefox Network Monitor (DevTools).
  5. Create an HTML form to send a POST request with a body (e.g., {"data": "FORM POST DATA"}) to http://ServerA/redir.
  6. Submit the form. Firefox will block the redirect and show the "Potential Security Risk Ahead" page for Server B.
  7. Click "Advanced" -> "Accept the Risk and Continue".
  8. Observe the method of the request sent to Server B in the Network Monitor or server logs.

See attached example servers written in Python (Flask).

Actual results:

Firefox resumes the request to the target URL but changes the HTTP method from POST to GET and discards the request body.

Expected results:

The request to https://ServerB/target should be a POST request containing the original body data.

According to RFC 7231, a 307 redirect MUST NOT allow the method to change unless the user explicitly confirms it. In this specific case, the user is confirming the certificate exception, not a change in HTTP method. The expectation is that once the security exception is granted, the original request (POST + Body) is replayed exactly as intended by the 307 status code.

See https://datatracker.ietf.org/doc/html/rfc7231#section-6.4.7

Note that Google Chrome and MS Edge seem to work as explained above, while Epiphany and Safari (WebKit browsers) have similar faulty behavior to Firefox.

I found bug 1805182 before reporting this bug, it might be related.

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core
Component: Security: PSM → Security
Product: Core → Firefox
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: