Excessively severe log message: "Unexpected GET request with wtd of existing Ajax session" -- in some cases
Versions of Wt since 4.4.0 can log a "[secure]" level message of "Wt: Unexpected GET request with wtd of existing Ajax session" for situations that do not represent a security concern.
This "Unexpected GET request" message can occur in bootstrap mode with Wt version 4.5.0-rc1-10-g802b86cd in at least two cases after the transition to ajax has occurred:
- Chromium-based browsers may re-send the "request=style" GET request the first time that the Developer Tools window is opened for a page. This results in a reply with 403 status and logs an "Unexpected GET request with wtd of existing Ajax session" message.
The impact of returning a 403 status seems to be harmless in both of the above cases, but the log message makes it sound like a potentially serious event.
Attached, for your review, is a lightly tested patch that permits style requests to be processed after ajax mode as been initiated. There is more information in the commit message for the patch.
NOTE: There are other style requests (observed in logs) where the 403 status and message did seem appropriate, e.g. different IP address. Applying the patch will restore pre-4.4.0 behavior for these, as well.
NOTE on Testing: Case 1 should hopefully be easy to reproduce. For case 2, I used mitmproxy 4.0.4 to delay the style request. With a test app running on port 8080 and an mitmproxy command similar to:
mitmproxy --intercept '~u request=style & ~q' -p 8090 -m reverse:http://localhost:8080
Browse to http://localhost:8090 and after a few seconds, press 'A' in the mitmproxy session to allow the intercepted style request to continue.