I noticed that the implementation of URL of the cloudflare worker automatically decodes %2B to + and %26 to &:
console.log( new URL("http://example.com/%2B" ).toString() ) // http://example.com/+
console.log( new URL("http://example.com/%26" ).toString() ) // http://example.com/&
Thus URL changes the passed URL when it contains the characters %2B or %26. This is not the behavior I see when I run the above code in the web console of a browser. In Firefox and Chromium I get:
console.log( new URL("http://example.com/%2B" ).toString() ) // http://example.com/%2B
console.log( new URL("http://example.com/%26" ).toString() ) // http://example.com/%26
This causes a bug in our cloudflare worker when the request url contains %2B or %26. Since we use the URL-interface to rewrite the request url (i.e. changing the domain) these character encodings do not get passed to our backend so that it responses with an error.
Is this a bug in the URL implementation of the cloudflare worker?
