alyssaxuu/omni

Unexpected requests to `/users/undefined` causing unwanted 404 in Rails-based webapp

milgner opened this issue · 1 comments

Browser: Firefox Linux 112.0.2 (64-bit), Omni 1.4.5

In a Rails-based application using a cookie session store, the behaviour of the user sign in changes depending on whether Omni is installed. The request body remains the same, but in the response (status code 302) the Location header changes (or appears to change in the browser development tools network tab):

Without Omni installed, the location header is http://hostname/.

With Omni installed, the location header is http://hostname/users/undefined, resulting in 404 status.

Debugging into the controller it looks like the session key user_return_to is indeed set to the value /users/undefined.
When disabling Omni or using a browser without Omni installed, everything works as expected. It looks like a request to /users/undefined is made by the extension in the background without showing up in the logs and changing the state of the backend in the process.

On one hand, I guess that the backend should be more robust and not let its state get changed by these GET requests; OTOH, I'm not sure how and why the extension sends the request - but it seems like anything with undefined in it, shouldn't result in a call to the remote server at all?

Same problem, got the /undefined on multiple websites when loging-in (gitlab, bitwarden, vcenter, others).
Devtools say it's from jquery.js:2 (probable the one included in Omni). I confirmed the bug is here when Omni is enabled and not here anymore when disabling Omni.

omni-undefined-3
omni-undefined-2
omni-undefined-1