237137 2022-02-24 07:44:54 -0800 Back navigation floods the server with duplicate GET requests 2022-05-17 08:07:08 -0700 1 1 1 Unclassified WebKit History Safari 15 Unspecified Unspecified RESOLVED DUPLICATE 235475 InRadar P2 Normal --- 1 steffen.weber webkit-unassigned cdumez webkit-bug-importer oldest_to_newest 1845607 0 steffen.weber 2022-02-24 07:44:54 -0800 How to reproduce: 1. Open Safari 15.3 on macOS or iOS 2. Go to https://www.computerbase.de/forum/threads/dan-c4-sfx.1923191/post-26644137 3. Confirm the consent dialog 4. Click on the orange link with title "https://www.computerbase.de/forum/attachments/2-png.1190983/" 5. Wait until the linked attachment/image loads 6. Click/tap Safari's back button What should happen: Safari should navigate back to the forum thread. What actually happens: Safari either just hangs or floods the server with duplicate HTTP GET requests (until our rate-limiting kicks in and respons with "HTTP 429 Too Many Requests"): ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 429 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" I've made video demo: https://www.youtube.com/watch?v=FNwTbiydb5o Originally reported here by our users: https://www.computerbase.de/forum/threads/safari-problem-auf-computerbase-http-error-429-too-many-requests.2073015/ 1846064 1 webkit-bug-importer 2022-02-25 09:56:58 -0800 <rdar://problem/89479503> 1846594 2 steffen.weber 2022-02-28 03:50:04 -0800 I've discovered a workaround: Just add the HTTP header "Cross-Origin-Opener-Policy: same-origin" to the attachment (was already there for normal page / HTML requests). I've just applied this change to our website (which means that the reproduction steps above don't work anymore but I hope that the hint regarding the "Cross-Origin-Opener-Policy" will help fix this issue). 1869243 3 cdumez 2022-05-16 08:55:12 -0700 *** This bug has been marked as a duplicate of bug 235475 *** 1869601 4 steffen.weber 2022-05-17 00:15:53 -0700 Which Safari version contains the fix? 15.4? 1869684 5 cdumez 2022-05-17 08:07:08 -0700 (In reply to Steffen Weber from comment #4) > Which Safari version contains the fix? 15.4? iOS 15.4 / macOS 12.3 should have the fix (not sure what that translates to in Safari versions).