Hey, we found a major bug within the Service Worker implementation from Safari 16.4 (where navigation preloads were introduced). * Suppose you have a simple website with a simple Service Worker which simply fetches all requests from the network and returns them to the browser ``` self.addEventListener('fetch', (event) => { event.respondWith(fetch(event.request)); }); ``` * You leave the page after installing the Service Worker and come back after a while once the Service Worker has been terminated by the browser * Now the Service Worker boots back up and gets handed the navigate request event which it fetches from the network. The problem is that in parallel, the browser has also made a navigate request as if the Service Worker were not there (or had navigation preloads enabled, which it does not!) * This additional request by the browser is not visible to the Service Worker like it would be with navigation preloads which are exposed in the `preloadResponse` property of the event. The effects of this behaviour can be very serious. There are lots of websites on the web that only allow a URL to be called once. A simple Service Worker will result in a user receiving the response to the second request which likely will be an error. We have seen that with one of our customers where the login stopped working in Safari because of this issue. ==== Steps to reproduce ==== I have build a simple website to demonstrate the issue. Please follow these steps 1. Go to https://clone-test.app.baqend.com/v1/code/swBootTest 2. Install the service worker by clicking the first link 3. Reload the page and see the service worker being active. You will also see that the "Page request counter" gets incremented with every request you do to this path. Please remeber the number you see right now! 4. Leave the page, scroll a bit through instagram or whatever and give the Service Worker some time to be terminated (about 1 min) 5. Paste https://clone-test.app.baqend.com/v1/code/swBootTest back into the URL bar and load the page. You will see that the number has increased by 2 points instead of 1 The counter is meant to visualise the issue. The better approach is of course to look at the network traffic. Unfortunately, the Safari dev tools are not of much help here. I used an SSL proxy instead (Charles Proxy). There you can see the duplicated request going over the network. The only difference by the way between these request is the `sec-fetch-site` header. One request has ``` sec-fetch-site same-origin ``` The other request has ``` sec-fetch-site cross-site ``` If you need additional information or help reproducing, please reach out!