Extra "_" parameter in POST request using Chrome.

Question

When I use Google Chrome to make an AJAX POST request I get extra empty parameter "_" on server-side.

Here's some background information:

• Web-server: Python Paste
• Back-end: Python 2.6/Pylons
• Browser: Google Chrome 3.0.195.1
• JavaScript Library: Prototype 1.6.1 RC3

For example simple:

>>print sorted(request.POST.keys())
['_','my_parameter']

I've Googled and I found few posts in mailing lists mentioning the same problem but I couldn't find an answer why is that happening. There were people reporting same issue using PHP and Safari so I don't think it's Server/Back-end related. I tested the same page with Firefox and I didn't get the extra parameter.

I've checked HTTP 1.1 specification and couldn't find anything related.

The strange thing is that I have never noticed this behaviour before.

I haven't written a separate test to test it on all modern browsers yet, I though I'd ask here first. I expect the same problem might happen with Safari.

---

A small side question; is it bad practice to expect that browser will only post the parameters which I expect or there's a chance that browser will post unnecessary/unexpected parameters like in this case.

---

Answer

As Blixt suggested the problem was in Prototype:

if (params = Object.toQueryString(params)) {
  if (this.method == 'get')
    this.url += (this.url.include('?') ? '&' : '?') + params;
  else if (/Konqueror|Safari|KHTML/.test(navigator.userAgent))
    params += '&_=';
}

Found it in bug tracker as well. Looks like this is fixed on Safari side, but it still in prototype code as workaround.

Answer 1

Please use Fiddler, to trace the HTTP traffic between your Chrome browser and the server. Do you find the additional paramter in the HTTP request?

Answer 2

Most likely, the empty parameter is from your JavaScript framework. Usually, frameworks add an additional parameter (to make a URL unique) to prevent certain browsers (in other words, Internet Explorer) from caching a request.

I have never experienced any browser adding additional query parameters on their own accord.

Answer 3

To answer this:

A small side question; is it bad practice to expect that browser will only post the parameters which I expect or there's a chance that browser will post unnecessary/unexpected parameters like in this case.

It is a bad idea to trust input coming from an untrusted source, and a user agent on the Internet is an untrusted source.

You should assume you can receive:

• parameters that you expect with values that you expect
• parameters that you expect with values that you don't expect
• parameters that you don't expect with values that you don't expect

You should also assume that you may not receive the parameters you expect.