This repository contains a simple example of how Chrome may process headers on a request after it has been aborted when a Service Worker is in place. If the headers include a cookie that is used for authentication, this would essentially log the user back in.
The earliest known version of Chrome where this is reproducible is 76.0.3809.132 (stable). The response headers do not appear in the dev tools Network tab, but the set-cookie header is processed on the aborted request. In 79.0.3909.0 (Canary), the headers can also be observed in the dev tools Network tab.
The included web server services the following requests:
| method | URL | behavior |
|---|---|---|
GET |
/ |
Serves the index.html page and sets CookieCreatedAfterAbort HTTP cookie |
GET |
/delayedApiResponse |
sets CookieCreatedAfterAbort HTTP cookie (response delayed by 5000ms) |
GET |
/logout |
removes CookieCreatedAfterAbort cookie |
The default index page:
- Installs a
ServiceWorkerthat merely logs requests on thefetchevent (it does not cache or otherwise alter the response). - Waits for the
ServiceWorkerto be activated, then makes a fetch request toGET /delayedApiResponse. - After 2500ms, the request is aborted and
GET /loginis called to immediately remove the cookie.
The problem:
- After the
GET /delayedApiResponseis aborted, the headers are processed by the browser when a response is received, which recreates the cookie.
-
Install dependencies
yarnornpm i -
Start HTTP server
yarn startornpm start -
In Chrome Canary (specifically tested with
79.0.3915.0), open the developer tools and go to https://localhost:3000- Immediately on page load, note that a
CookieCreatedAfterAborthas been created - After about 2500ms, note the
GET /logoutand that there is no longer aCookieCreatedAfterAbortcookie - About 5000ms after the page is loaded, note that there are response headers listed for the aborted
GET /delayedApiResponserequest - Also note that the
CookieCreatedAfterAborthas been recreated
- Immediately on page load, note that a