fix(core): don't serve in-page POST/unsafe requests from the discovery cache

[Sriram567]

Fixes PER-9766 — PSE team can't snapshot pages behind form authentication.

Root cause

Asset-discovery's request interception serves cached responses keyed on URL only, ignoring the HTTP method:

• packages/core/src/discovery.js:463 — lookupCacheResource keys purely on URL (snapshotResources.get(url) || cache.get(url)).
• packages/core/src/network.js (sendResponseResource) — fulfils any cached resource via Fetch.fulfillRequest regardless of request.method.

A customer logging in from an execute script did:

await fetch(form.action, { method: 'POST', credentials: 'same-origin' }); // login
const html = await (await fetch('/my-account', { credentials: 'same-origin' })).text();
document.open(); document.write(html); document.close();

The login POST went to the site root, which had already been captured (GET) and cached during navigation. Discovery answered the POST from that cached login-page body, so it never reached the origin — no session was established, and the follow-up /my-account fetch returned unauthenticated content that document.write then captured.

Debug-log proof: Evaluate JavaScript → Handling request: https://…/ (the POST) → - Resource cache hit → /my-account fetched unauthenticated → Snapshot taken.

Fix

Only serve cached resources for safe, cacheable methods (GET/HEAD). POST/PUT/PATCH/DELETE (or an absent method) fall through to Fetch.continueRequest → origin. Answering a state-changing request with a cached GET body is incorrect in general; page navigation and asset fetches are GET, so normal snapshotting is unaffected.

let cacheableMethod = request.method === 'GET' || request.method === 'HEAD';
// …
} else if (resource && cacheableMethod && (resource.root || resource.provided || !disableCache)) {

Testing

Added discovery.test.js › resource caching › "serves cached resources only for cacheable methods (PER-9766)": caches an asset on the initial GET, then issues a POST to the same URL from an execute script and asserts the origin sees the POST (i.e. it is not served from cache). Verified the spec fails without the fix (Expected ['GET'] to contain 'POST') and passes with it.

Review notes

This touches core discovery interception (100%-coverage gate). The new cacheableMethod branch is exercised by the GET+POST test. Worth a prod-replay sanity check, though the only behavior change is: an unsafe-method request whose URL happens to be cached now hits the origin instead of replaying a GET body.

🤖 Generated with Claude Code