How to reproduce: 1. Open Safari 15.3 on macOS or iOS 2. Go to https://www.computerbase.de/forum/threads/dan-c4-sfx.1923191/post-26644137 3. Confirm the consent dialog 4. Click on the orange link with title "https://www.computerbase.de/forum/attachments/2-png.1190983/" 5. Wait until the linked attachment/image loads 6. Click/tap Safari's back button What should happen: Safari should navigate back to the forum thread. What actually happens: Safari either just hangs or floods the server with duplicate HTTP GET requests (until our rate-limiting kicks in and respons with "HTTP 429 Too Many Requests"): ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" ::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 429 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1" I've made video demo: https://www.youtube.com/watch?v=FNwTbiydb5o Originally reported here by our users: https://www.computerbase.de/forum/threads/safari-problem-auf-computerbase-http-error-429-too-many-requests.2073015/
<rdar://problem/89479503>
I've discovered a workaround: Just add the HTTP header "Cross-Origin-Opener-Policy: same-origin" to the attachment (was already there for normal page / HTML requests). I've just applied this change to our website (which means that the reproduction steps above don't work anymore but I hope that the hint regarding the "Cross-Origin-Opener-Policy" will help fix this issue).
*** This bug has been marked as a duplicate of bug 235475 ***
Which Safari version contains the fix? 15.4?
(In reply to Steffen Weber from comment #4) > Which Safari version contains the fix? 15.4? iOS 15.4 / macOS 12.3 should have the fix (not sure what that translates to in Safari versions).