[Webkit-unassigned] [Bug 257963] New: Browser makes background request on Service Worker boot with navigation preloads disabled

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 12 09:36:42 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=257963

            Bug ID: 257963
           Summary: Browser makes background request on Service Worker
                    boot with navigation preloads disabled
           Product: WebKit
           Version: Safari 16
          Hardware: All
                OS: All
            Status: NEW
          Severity: Major
          Priority: P2
         Component: Service Workers
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: erik.witt at baqend.com

Hey, we found a major bug within the Service Worker implementation from Safari 16.4 (where navigation preloads were introduced).

* Suppose you have a simple website with a simple Service Worker which simply fetches all requests from the network and returns them to the browser
```
self.addEventListener('fetch', (event) => {
  event.respondWith(fetch(event.request));
});
```

* You leave the page after installing the Service Worker and come back after a while once the Service Worker has been terminated by the browser
* Now the Service Worker boots back up and gets handed the navigate request event which it fetches from the network. The problem is that in parallel, the browser has also made a navigate request as if the Service Worker were not there (or had navigation preloads enabled, which it does not!)
* This additional request by the browser is not visible to the Service Worker like it would be with navigation preloads which are exposed in the `preloadResponse` property of the event.

The effects of this behaviour can be very serious. There are lots of websites on the web that only allow a URL to be called once. A simple Service Worker will result in a user receiving the response to the second request which likely will be an error. We have seen that with one of our customers where the login stopped working in Safari because of this issue.

==== Steps to reproduce ====

I have build a simple website to demonstrate the issue. Please follow these steps

1. Go to https://clone-test.app.baqend.com/v1/code/swBootTest
2. Install the service worker by clicking the first link
3. Reload the page and see the service worker being active. You will also see that the "Page request counter" gets incremented with every request you do to this path. Please remeber the number you see right now!
4. Leave the page, scroll a bit through instagram or whatever and give the Service Worker some time to be terminated (about 1 min)
5. Paste https://clone-test.app.baqend.com/v1/code/swBootTest back into the URL bar and load the page. You will see that the number has increased by 2 points instead of 1

The counter is meant to visualise the issue. The better approach is of course to look at the network traffic. Unfortunately, the Safari dev tools are not of much help here. I used an SSL proxy instead (Charles Proxy). There you can see the duplicated request going over the network. The only difference by the way between these request is the `sec-fetch-site` header.

One request has
```
sec-fetch-site  same-origin
```

The other request has
```
sec-fetch-site  cross-site
```

If you need additional information or help reproducing, please reach out!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230612/d0862967/attachment.htm>

More information about the webkit-unassigned mailing list