Bug 237137

Summary: Back navigation floods the server with duplicate GET requests
Product: WebKit Reporter: Steffen Weber <steffen.weber>
Component: HistoryAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: cdumez, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 15   
Hardware: Unspecified   
OS: Unspecified   

Description Steffen Weber 2022-02-24 07:44:54 PST 
How to reproduce:

1. Open Safari 15.3 on macOS or iOS
2. Go to https://www.computerbase.de/forum/threads/dan-c4-sfx.1923191/post-26644137
3. Confirm the consent dialog
4. Click on the orange link with title "https://www.computerbase.de/forum/attachments/2-png.1190983/"
5. Wait until the linked attachment/image loads
6. Click/tap Safari's back button

What should happen:

Safari should navigate back to the forum thread.

What actually happens:

Safari either just hangs or floods the server with duplicate HTTP GET requests (until our rate-limiting kicks in and respons with "HTTP 429 Too Many Requests"):

::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 429 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"

I've made video demo: https://www.youtube.com/watch?v=FNwTbiydb5o

Originally reported here by our users: https://www.computerbase.de/forum/threads/safari-problem-auf-computerbase-http-error-429-too-many-requests.2073015/
Comment 1 Radar WebKit Bug Importer 2022-02-25 09:56:58 PST 
<rdar://problem/89479503>
Comment 2 Steffen Weber 2022-02-28 03:50:04 PST 
I've discovered a workaround: Just add the HTTP header "Cross-Origin-Opener-Policy: same-origin" to the attachment (was already there for normal page / HTML requests). I've just applied this change to our website (which means that the reproduction steps above don't work anymore but I hope that the hint regarding the "Cross-Origin-Opener-Policy" will help fix this issue).
Comment 3 Chris Dumez 2022-05-16 08:55:12 PDT 

*** This bug has been marked as a duplicate of bug 235475 ***
Comment 4 Steffen Weber 2022-05-17 00:15:53 PDT 
Which Safari version contains the fix? 15.4?
Comment 5 Chris Dumez 2022-05-17 08:07:08 PDT 
(In reply to Steffen Weber from comment #4)
> Which Safari version contains the fix? 15.4?

iOS 15.4 / macOS 12.3 should have the fix (not sure what that translates to in Safari versions).