The initial report was:
When sending users to <website> via HTML form with a GET method, WebKit browsers (Chrome, Safari, and some Android browsers) append a "?" character (see WebKit bug 30103 (https://bugs.webkit.org/show_bug.cgi?id=30103) and Chrome bugs 108690, 121380 (http://code.google.com/p/chromium/issues/detail?id=108690,http://code.google.com/p/chromium/issues/detail?id=121380).I reported the issue, the cause of the issue, the symptoms, the URLs involved, and a resolution path.
This causes the browser to access "http://<website>/?" which redirects to http://<vendor website>/?" Note the trailing "?" on the <vendor> URL. The "?" is preserved, and appended to the password field, rending the URL invalid, and presenting the user with a login screen.
Could you please update the redirect handling on <website> to not preserve the "?" character that WebKit is sending? Side note: any value sent after <website> is also preserved, triggering the same behavior. E.g.:<website>/foo redirects to <vendor website/foo ; while one can take the stance "don't do that", it would be a better user experience to not preserve any path data if it is going to cause errors like this.
Could you provide the screenshots of the issue you reported until the "?" is preserved, and appended to the password field, rending the URL invalid, and presenting the user with a login screen. This will help in forwarding this issue to the concerned department for further investigation.Screenshots?
Really?
To address an issue with how a vanity entry web site mishandles any extra data passed in the URL you want screenshots?
Really?!?
OK, fine, I'll take some screen captures of exactly what I stated and send them.
 |
| The website URL |
 |
| The vendor URL |
The "?" abides.
Thank you for your email and also for the screenshots. I have forwarded this issue to the appropriate department for further investigation. I will contact you as soon as there is any information regarding this.I have passed the gauntlet, there is hope that this issue will be fixed!
I received an update from the concerned department regarding the issue with sending users to <website> via HTML form with a GET method, WebKit browsers (Chrome, Safari, and some Android browsers) append a "?" character. The concerned department has requested for the exact sequence of steps to duplicate this issue. Could you provide the same.Umm. HTML form....GET method...this is not looking good.
Load this basic HTML form in a Chrome browser:
<form method="get" action="<website>" >
<input type="submit"/>
</form>
Click the submit button. Chrome will append a "?" character to the URL, and the <vendor> login error page will be generated.
I can appreciate the need for a good test case, but this one seemed pretty straightforward...
Thank you for your email and for the additional information too. I have forwarded this to the appropriate department for further review. I will keep you updated as I receive any information in this direction.My enthusiasm has been diminished, but we'll see if that's the missing part the vendor needed to resolve this.
I received the following update from the concerned department regarding " WebKit browsers (Chrome, Safari, and some Android browsers) appending a "?" character. The update is that 'this appears to be an issue with webkit itself and will have to be fixed by google or apple in the webkit engine. Unfortunately we do not think there is anything we can do on the <vendor> side since this is not specific to <vendor service>. This would happen with any URL.Sigh. I am not asking them to fix WebKit; I am asking them to fix the way their vanity entry website handles redirecting users into their service platform website to address a very specific browser issue.
I can't help but think of old school burlesque/vaudeville comedy routines (Who's on First, etc.), and the memorable scene from Pulp Fiction between Jules Winnfield (Samuel L. Jackson) and Brett (Frank Whaley).
Apparently the "concerned department" does not grasp the concept of the Robustness Principle. Funny thing is, the other vanity entry web sites for this vendor work just fine, it's only this one entry point that is broken.
Get the popcorn, kids! This one could drag out for a while.
No comments:
Post a Comment