Bug 258195

Summary: Service Worker: Redirect loses hash fragment
Product: WebKit Reporter: Lauritz <webkit>
Component: Service WorkersAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, cdumez, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Safari 16   
Hardware: Unspecified   
OS: Unspecified   

Description Lauritz 2023-06-16 02:56:58 PDT 
Hi there!

Apparently Webkit has a comparable issue to: https://bugzilla.mozilla.org/show_bug.cgi?id=1420672

Redirects which include hash fragments and that are intercepted by Service Workers lose their fragment.


## Proof of concept

register_worker.html
```html
<script>
if ("serviceWorker" in navigator) {
  navigator.serviceWorker.register("/sw.js")
}
```

sw.js
```javascript
self.addEventListener("fetch", (event) => {
  console.log("fetch event");
  event.respondWith(fetch(event.request));
});
```

/index.php
```php
<?php
    header('Location: /test.html',true,301);
    exit();
```

test.html
```javascript
<script>alert(window.location)</script>
```

### Steps to reproduce
1. Browse /index.php#test => Observe that redirect keeps fragment as expected
2. Browse /register_worker.html to Register Service worker
3. Browse /index.php#test => Observe that redirect lose fragment
Comment 1 Lauritz 2023-06-16 03:12:55 PDT 
After filing this as non-security issue at first, I think there could be potential security implications I have not thought of at first. For instance, in the context of OAuth/OIDC ("implicit flow"/"response_mode=fragment"), where sensitive information is passed between parties using the url hash fragment. At the very least, this behavior could break an SSO login flow.
Comment 2 Radar WebKit Bug Importer 2023-06-23 02:57:15 PDT 
<rdar://problem/111208014>
Comment 3 youenn fablet 2023-07-05 08:10:36 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/15565
Comment 4 EWS 2023-07-07 08:33:49 PDT 
Committed 265845@main (e4b3080bb04a): <https://commits.webkit.org/265845@main>

Reviewed commits have been landed. Closing PR #15565 and removing active labels.