237137 – Back navigation floods the server with duplicate GET requests

Bug 237137 - Back navigation floods the server with duplicate GET requests

Summary: Back navigation floods the server with duplicate GET requests

Status:	RESOLVED DUPLICATE of bug 235475

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	History (show other bugs)
Version:	Safari 15
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-02-24 07:44 PST by Steffen Weber
Modified:	2022-05-17 08:07 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Steffen Weber 2022-02-24 07:44:54 PST

How to reproduce:

1. Open Safari 15.3 on macOS or iOS
2. Go to https://www.computerbase.de/forum/threads/dan-c4-sfx.1923191/post-26644137
3. Confirm the consent dialog
4. Click on the orange link with title "https://www.computerbase.de/forum/attachments/2-png.1190983/"
5. Wait until the linked attachment/image loads
6. Click/tap Safari's back button

What should happen:

Safari should navigate back to the forum thread.

What actually happens:

Safari either just hangs or floods the server with duplicate HTTP GET requests (until our rate-limiting kicks in and respons with "HTTP 429 Too Many Requests"):

::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:26 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:27 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 200 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"
::ffff:1.2.3.4 [24/Feb/2022:16:28:28 +0100] 429 "GET /forum/threads/dan-c4-sfx.1923191/page-37 HTTP/2.0" "-" "Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1"

I've made video demo: https://www.youtube.com/watch?v=FNwTbiydb5o

Originally reported here by our users: https://www.computerbase.de/forum/threads/safari-problem-auf-computerbase-http-error-429-too-many-requests.2073015/

Comment 1 Radar WebKit Bug Importer 2022-02-25 09:56:58 PST

<rdar://problem/89479503>

Comment 2 Steffen Weber 2022-02-28 03:50:04 PST

I've discovered a workaround: Just add the HTTP header "Cross-Origin-Opener-Policy: same-origin" to the attachment (was already there for normal page / HTML requests). I've just applied this change to our website (which means that the reproduction steps above don't work anymore but I hope that the hint regarding the "Cross-Origin-Opener-Policy" will help fix this issue).

Comment 3 Chris Dumez 2022-05-16 08:55:12 PDT


*** This bug has been marked as a duplicate of bug 235475 ***

Comment 4 Steffen Weber 2022-05-17 00:15:53 PDT

Which Safari version contains the fix? 15.4?

Comment 5 Chris Dumez 2022-05-17 08:07:08 PDT

(In reply to Steffen Weber from comment #4)
> Which Safari version contains the fix? 15.4?

iOS 15.4 / macOS 12.3 should have the fix (not sure what that translates to in Safari versions).