I encounter a strange behavior with my webapp into safari (no problem at all with FF).
The code is pretty simple :
- I have a form which contains some checkboxes.
- I click on the submit button, which send the data via POST to the same page, in which a PHP script writes a cookie
- then, PHP reloads the same page with header("Location:index.php");
Unfortunately, I get the following error with Safari :
"Refused to execute a JavaScript script. Source code of script found within request."
The page does NOT send javascript or URL or other malicious code. It just POST datas from a form. So, how could I avoid this ? Could anyone explain why safari tells me I want to execute javascript code ? (Of course, adding "header("X-XSS-Protection: 0");" in top of the page fixes the problem. But I'm not very happy with this kind of countermeasure...)
This is some relevant parts of the code (simplified):
<?php
if(@$_POST["foo"] == "yes"){
$choice = join("-", $_POST["choice"]);
setcookie("bar",$choice, time()+900000);
header("Location:index.php");
}
?>
<form method="post" action="index.php">
<input type="hidden" name="foo" value="yes">
<p><input type='checkbox' name='choice[]' value='foo'> foo</p>
<p><input type='checkbox' name='choice[]' value='bar'> bar</p>
<p><input type='checkbox' name='choice[]' value='baz'> baz</p>
<input type="submit">
</form>
Thanks in advance for your responses !
EDIT :
- I strongly suspect a bug in my favourite version of Safari (5) since the code is working perfectly in safari 6 (ML), firefox and chrome.
- Putting the setcookie section on the top of the page and call "exit" right after header("location:") doesn't fix the problem.
- Even if I put the setcookie in a separate PHP script and reload the page from within this new page, I got the same error in safari 5.
As requested by silverlightfox, here are some screenshots of the http response headers of the 2 pages :
choice[]? Should it just bechoice? – Sablefostename='choice[]', could you try without the brackets like this:name='choice'? – martinstoeckli