PHP $_SERVER['REQUEST_METHOD'] blocked on POST?

[Offbeatmammal]

very strange behaviour - two pages on the same site, using the same template. One works fine, but the other on a submission the $_SERVER['REQUEST_METHOD'] variable isn't getting set unless Privacy Badger is disabled.

Submitting the form with a GET works (but is impractical)

As this is a server side thing, I have no idea how PB could be impacting this, and why it's only happening on one of the forms.

Weirdly the form that's got the issue has less personal info than the one that's working!

If there's something I need to be more aware of while developing this site to keep Privacy Badger happy, happy to put it into practice.

[ghostwords]

Hello and thanks for opening an issue!

• Which browser is this in?
• Can you reproduce with Privacy Badger added to a new profile in the same browser?
• Can you reproduce with a different browser?
• Does disabling Privacy Badger for the site using the Disable button in Privacy Badger's popup make the problem go away?

[Offbeatmammal]

• it's in Vivaldi on macOS - installed Chrome+Privacy Badger and don't get the same problem.
• uninstalled PB from Vivaldi and re-installed, and problem still occurs
• disabling PB in Vivaldi makes the problem go away.
  looks like it's a Vivaldi issue. weird that it stops Apache from setting the request method header, wonder if the shared hoster is doing something odd as well

[ghostwords]

OK thank you.

disabling PB in Vivaldi makes the problem go away.

To clarify, disabling using the "Disable for this site" button in PB's popup, or disabling the entire extension on the manage extensions page?

[ghostwords]

Weirdly the form that's got the issue has less personal info than the one that's working!

Could you identify what it is about the form that makes it not work? In other words, what is the minimal version of this form that will demonstrate the problem?

[Offbeatmammal]

To clarify, disabling using the "Disable for this site" button in PB's popup, or disabling the entire extension on the manage extensions page?

"Disable for this site" fixes the issue

Could you identify what it is about the form that makes it not work? In other words, what is the minimal version of this form that will demonstrate the problem?

here's where it gets really weird.
even if I strip the form back to just

<form method="POST">
    <table>
        <tr><td><input type="submit" value="Save changes"><td><?=$msg?>
    </table>
</form>

it still throws the error, but only on this page. I've even renamed the page in case that was the issue. Switching from POST to GET works fine.

so, if I change to

<form method="POST" action="<?=$path?>/club_edit">

it does work, but

<form method="POST" action="<?=$path?>/club_edit?club=<?=$club?>">

fails

So, only this form needs an explicit action, and that action can't have querystring parameters, they all have to be on the POST. Glad to have worked that out, will go back through the project and fix that up everywhere

I think it must be something happening on the host though, as I dropped the site onto a VPS with a different provider and the issue doesn't occur. Current host where we're building this proof of concept is very cost effective but offers no support (so not going to have much luck getting them to see what's happening) so might just switch this to a different host (don't want to ask people using this to disable PB)

[ghostwords]

Do you see any differences in the Network tab of developer tools with and without Privacy Badger enabled for the page, when submitting the form that exhibits this problem? You'll probably have to enable the "Preserve log" setting to see everything.

[ghostwords]

Closing for now.