I noticed that the implementation of URL
of the cloudflare worker automatically decodes %2B
to +
and %26
to &
:
console.log( new URL("http://example.com/%2B" ).toString() ) // http://example.com/+
console.log( new URL("http://example.com/%26" ).toString() ) // http://example.com/&
Thus URL
changes the passed URL when it contains the characters %2B
or %26
. This is not the behavior I see when I run the above code in the web console of a browser. In Firefox and Chromium I get:
console.log( new URL("http://example.com/%2B" ).toString() ) // http://example.com/%2B
console.log( new URL("http://example.com/%26" ).toString() ) // http://example.com/%26
This causes a bug in our cloudflare worker when the request url contains %2B
or %26
. Since we use the URL
-interface to rewrite the request url (i.e. changing the domain) these character encodings do not get passed to our backend so that it responses with an error.
Is this a bug in the URL
implementation of the cloudflare worker?