Safari and Chrome adding form values to URL
https://stackoverflow.com/questions/3541289
-
30-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Long story short: on Chrome and Safari only, values from a login form are sometimes pasted into the user's URL, even though the actual login is POSTed via AJAX.
http://my-site.example/?name=user&pw=xxx&challenge=b1be8ad7aac242...
It's been reported repeatedly and I've seen it happen myself, but have been unable to reproduce it myself, much less figure out what on earth is going on. Here's what the login form boils down to:
<form name="login">
<input type="Text" name="name">
<input type="password" name="pw">
<input type="hidden" name="challenge">
<input type="button" onclick='JavaScript:xmlhttpPost("/php/login.php")'>
</form>
The actual POSTed request does not even contain the challenge parameter:
function xmlhttpPost(strURL) {
if (window.XMLHttpRequest) {
self.xmlHttpReq = new XMLHttpRequest();
} else if (window.ActiveXObject) {
self.xmlHttpReq = new ActiveXObject("Microsoft.XMLHTTP");
}
self.xmlHttpReq.open('POST', strURL, true);
...
query = 'name=' + encodeURIComponent(name) + '&pw=' + encodeURIComponent(hash) + '&lpw=' + encodeURIComponent(legacy_hash);
self.xmlHttpReq.send(query);
}
And on successful login, the user is redirected back to the same page (= forced to reload) if and only if they have a different language setting from the default:
location.href = "http://" + location.host + location.pathname;
Any ideas?
Solution
Iin the cases you describe, the form actually gets posted, probably because the user has Javascript turned off or a script error occurs in xmlhttpPost.
The form will get sent as a GET request in some browsers because you don't specify a method property. (I think GET is the correct default per the standard, but some browsers deviate from this). Thus, the form data will end up in the URL.
Give the form a method="POST": That will fix the password data in URLs part.
OTHER TIPS
You know what I hate most about Stack Overflow? The fact that, by making you lay out even your most intractable problems in as simple and reduced a form as possible, you often stumble into the solutions yourself, usually about 5 seconds after submitting.
This time, it turns out that pressing ENTER was causing Safari/Chrome (Webkit) to submit the form and stick the parameters in the URL. The cure was simple:
<form name="login" onSubmit='JavaScript:return false;'>
And a tip o' the hat here:
How can I prevent WebKit browser to submit a form when enter is pressed in an input
