Bug 189084

Summary: Mobile Safari silently retries non-idempotent network requests
Product: WebKit Reporter: Joel Riley <joelriley>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: ap
Priority: P2    
Version: Safari 11   
Hardware: Unspecified   
OS: iOS 11   

Description Joel Riley 2018-08-29 09:48:33 PDT 
Spec allows browsers to silently retry requests (https://tools.ietf.org/html/rfc2616#section-8.2.4) if the network connection prematurely closes. This can happen, for instance, when a mobile device is switching away from a poor network or switching between wifi and cellular network. If a client (javascript) issues only one network request, the browser may issue two requests if the first request is interrupted, and the payload of the second request is returned back to the client, which is unaware two requests took place. This behavior is problematic in the case of non-idempotent requests (such as POST), since those requests can have side effects. One examples is an HTTP POST request to create a new comments on a message board could in turn cause two comments to be posted if the browser retries request due to network disconnect. Safari should not retry non-idempotent requests. Chrome currently handles this correctly.

RFC that states retries should not happen for non-idempotent requests: https://tools.ietf.org/html/rfc7230#section-6.3.1
Comment 1 Alexey Proskuryakov 2018-08-30 10:17:09 PDT 
Thank you for the report!

This is implemented at a lower level than WebKit, so we can't track this problem in WebKit bugzilla. Could you please report it via https://bugreport.apple.com, so that Apple engineers responsible for networking could take a look? Also, they would most likely need steps to reproduce, or at least a tcpdump.