POST-Data of finished WebResourceRequest still found in process-dump

[Urmeli0815]

Hello,

we have a C++-Application that uses the WebView2-SDK (currently 1.0.3351.48) to embed a web-view. We use the add_WebResourceRequested method to intercept & handle requests in C++.

In a security test we made a process-dump of our process after a POST-Request was handled which contained a UUID in the POST-Data.
What we found (most of the time, not always) were some string remains of the POST-Data in the process-dump. They always looked something like this:

{"lastSelectedTab":"XYZ"}khasPostData
hpostDatax*{"body":"ooooops","clientMessageId":12345}khasPostData
hpostDatax#{"userId":"543212","isTyping":false}khasPostData

We always saw these khasPostData and hpostDatax strings in the dump.

My question would be: is it possible that the code in EmbeddedBrowserWebView.dll reads the POST-Data from the Web-View via IPC, but after processing it doesn't zero out the memory so that the data would still be visible in a dump? I assume there is some kind of cache in use to prevent reallocations.

It would be great if you could provide some information about the internals here.