We just redesigned a web application and as a result we've noticed a bug in Chrome (but it supposedly affects all WebKit browsers) that causes a full image/js/css reload after a Post/Redirect/Get. Our app is built using ASP.NET and uses a lot of Response.Redirect's which means users will run into this issue a lot. There's a bug report for the issue with test case: https://bugs.webkit.org/show_bug.cgi?id=38690
We've tried the following to resolve the issue:
Change all Response.Redirects to be JavaScript redirects. This wasn't ideal because instead of images reloading, there would be a "white flash" during page transitions.
We wrote our own HTTP handler for images, CSS and JS files. We set it up to where the handler sends a max-age of 1 hour. When the client requests the file again, the handler checks the If-Modified-Since header sent by the browser to see if the file had been updated since the last time it was downloaded. If the dates match, the handler returns an HTTP 302 (Not Modified) with 0 for the Content-Length. We ran a test where if the image was downloaded for the first time (HTTP 200), there was a delay of 10 seconds. So the first time the page loaded, it was very slow. If the handler returned 302 (Not Modified), there was no delay. What we noticed was that Chrome would still "reload" images even when the server returned a 302 (Not Modified). It's not pulling the file from the server (if it were, it would cause a 10 seconds delay), but yet it's flashing/reloading the images. So Chrome seems to be ignoring the 302 and still reloading images from it's cache causing the "reload".
We've checked big sites to see if they've fixed it somehow, but sites like NewEgg and Amazon are also affected.
Has anyone found a solution to this? Or a way to minimize the effect?
Thanks.
This is a bug. The only "workaround" I've seen untill now is to use a Refresh header instead of a Location header to do the redirecting. This is far from ideal.
Bug 38690 - Submitting a POST that leads to a server redirect causes all cached items to redownload
Also, this question is a duplicate of "Full page reload on Post/Redirect/Get ignoring cache control".
I ran into this problem myself with an ASP.NET web forms site that uses
Response.Redirect(url, false) following a post on many of its pages.
From reading the HTTP/1.1 specification it sounds like a 303 response code would be correct for implementing the Request: POST, Response: Redirect behavior. Unfortunately changing the status code does not make browser caching work in Chrome.
I implemented the workaround described in the post above by creating a custom module for non-static content. I'm also deleting the response content from 302's to avoid the appearance of a blink of "object moved to here". This is probably only relevant for the refresh headers. Comments are welcome!
public class WebKitHTTPHeaderFixModule : IHttpModule
{
public void Init(HttpApplication httpApp)
{
// Attach application event handlers.
httpApp.PreSendRequestHeaders += new EventHandler(httpApp_PreSendRequestHeaders);
}
void httpApp_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext context = HttpContext.Current;
if (context.Response.StatusCode == 302)
{
context.Response.ClearContent();
// If Request is POST and Response is 302 and browser is Webkit use a refresh header
if (context.Request.HttpMethod.Equals("POST", StringComparison.OrdinalIgnoreCase) && context.Request.Headers["User-Agent"].ToLower().Contains("webkit"))
{
string location = context.Response.Headers["Location"];
context.Response.StatusCode = 200;
context.Response.AppendHeader("Refresh", "0; url=" + location);
}
}
}
public void Dispose()
{}
}
Note: I don't think this will work with the non-overloaded version of Response.Redirect since it calls Response.End().
Related
tl;dr; How do I get Chrome to follow the 302 'Location' redirect to a different domain after an HTTP POST?
I'm using OpenID Connect, using an external provider to provide authentication services to my ASP.NET MVC (C#, .NET 6) application.
I have a controller action to close an account. In this instance,
[HttpPost("close-account")]
public async Task<IActionResult> CloseAccount()
{
// This does not work as expected in a POST and the browser does not redirect
var properties = new AuthenticationProperties { RedirectUri = "..." }
return SignOut(properties, "Cookies", "OpenIdConnect");
}
There is a standard html <form> which is completing the post action to the controller via a <button>. No Javascript involved.
Looking at the Chrome developer tools, the browser receives the 302 Found with the Location response header correctly set to the URL the browser needs to redirect to in order to complete the sign out with the OpenID Connect provider.
However, the browser does not follow the redirect. I am presuming because it is cross-origin, and starts with "https://oidc.myauthenticationprovider.com/logout?...." which is a different domain.
I have verified this - because if I change the redirect to be another URL in the same site, then the browser follows up with a GET to the URL provided in the Location header. It's just that if the origin is a different domain, it does nothing.
I only see this behaviour with POST. I have a similar GET endpoint to sign out users (without closing their account- just a regular sign-out) - which works perfectly.
[HttpGet("sign-out")]
public async Task<IActionResult> CloseAccount()
{
// This works as expected in a GET and the user is redirected.
var properties = new AuthenticationProperties { RedirectUri = "..." }
return SignOut(properties, "Cookies", "OpenIdConnect");
}
I'm not sure this is strictly a CORS issue because it is the response to an HTTP POST rather than an XHR request, however, I have tried the below in case it is related to CORS:
I have tried the services.AddCors method in the application startup, adding the origin
I have tried manually adding the Access-Control-Allow-Origin header to both the original GET and also the POST response of the close account page
These do not make a difference.
To the user, the behaviour is as if the form has done nothing. They press the button, and it seems like nothing at all happens. The code within the controller executes (in my example, the account does get closed), but the redirection is then ignored.
This was due to us setting the form-action: self directive in CSP. As described on MDN Web Docs,
Warning: Whether form-action should block redirects after a form
submission is debated and browser implementations of this aspect are
inconsistent (e.g. Firefox 57 doesn't block the redirects whereas
Chrome 63 does).
For us this was what was causing the blocked redirect to a different domain after form submission.
I'm trying to post a user status update to the Goodreads API.
Most of the time my request returns 200 OK and does nothing. Every now and then, though, it returns 201 Created and the status is updated. When it works it's always the first time I try to make the call after running the app in iOS simulator. Subsequent calls never work.
I don't think the problem is the API itself, since the official Goodreads iOS app uses the same call and it always works.
Their API is famous for having problems with calls that include brackets in the parameters, but I can make other calls that contain brackets and they work fine, the problem is just this one.
I'm using OAuthSwift and this is my code:
oAuth.client.post(
"http://www.goodreads.com/user_status",//.xml",//?user_status[book_id]=6366035&user_status[page]=168",
parameters: ["user_status[page]" : 168, "user_status[book_id]" : 6366035, "format" : "xml"],
//headers: ["Content-Type" : "application/x-www-form-urlencoded"],
success: {
data, response in
print("")
print(response)
},
failure: {
error in
print("")
print(error)
}
)
(The commented out parts are alternatives I have tried unsuccessfully.)
I'm printing the base string that gets signed and it looks the same for the calls that work and the ones that don't, except for the nonce and the timestamp, obviously.
In the headers is also included the oauth_signature, which changes every time and sometimes contains characters that are encoded by OAuthSwift, so that could account for the call working just some of the time (it could work only when the signature doesn't contain a certain character)… but I'm printing out the headers too and I don't see any patterns or any discernible difference between the headers of the calls that work and those of the calls that don't.
So now I don't know what to test anymore… I'm checking the base string and the headers for calls that work and for calls that don't and they look the same… Could anybody think of something else that changes between calls and I should check? I have no idea what could be causing this and I don't know how to debug it.
Thanks in advance,
Daniel
Edit: Very weird… I tried my request with Paw, a Mac REST client, and with Chrome's Postman extension. If I use https I get 404 on my first call, then 201 on the second, then 404 on the third, 201 on the forth and so on. It works every other time. The time it works it doesn't matter if I use http or https, it works as long as there was a failed https request just before.
So I tried doing the same in my app: I added two https calls one after the other… in my app they always return 404.
So it seems like Postman, Paw and OAuthSwift are handling the requests differently. I don't know what could be the difference between those clients… the signature base string seems to be the same for all three, the headers too… so what else could change between them?
In the newer versions of Xcode you can only communicate with a HTTPS server. I expect Google support that so you can change the URL. Or you can edit your Info.plist file.
App Transport Security Settings > Allow Arbitrary Loads > YES
My site at www.kruaklaibaan.com (yes I know it's hideous) currently has 3.7 million likes but while working to build a proper site that doesn't use some flowery phpBB monstrosity I noticed that all those likes are registered against an invalid URL that doesn't actually link back to my site's URL at all. Instead the likes have all been registered against a URL-encoded version:
www.kruaklaibaan.com%2Fviewtopic.php%3Ff%3D42%26t%3D370
This is obviously incorrect. Since I already have so many likes I was hoping to either get those likes updated to the correct URL or get them to just point to the base url of www.kruaklaibaan.com
The correct url they SHOULD have been registered against is (not url-encoded):
www.kruaklaibaan.com/viewtopic.php?f=42&t=370
Is there someone at Facebook I can discuss this with? 3.7m likes is a little too many to start over with without a lot of heartache. It took 2 years to build those up.
Short of getting someone at Facebook to update the URL, the only option within your control that I could think of that would work is to create a custom 404 error page. I have tested such a page with your URL and the following works.
First you need to set the Apache directive for ErrorDocument (or equivalent in another server).
ErrorDocument 404 /path/to/404.php
This will cause any 404 pages to hit the script, which in turn will do the necessary check and redirect if appropriate.
I tested the following script and it works perfectly.
<?php
if ( $_SERVER['REQUEST_URI'] == '/%2Fviewtopic.php%3Ff%3D42%26t%3D370' ) {
Header("HTTP/1.1 301 Moved Permanently");
Header("Location: /viewtopic.php?f=42&t=370");
exit();
} else {
header('HTTP/1.0 404 Not Found');
}
?><html><body>
<h1>HTTP 404 Not Found</h1>
<?php echo $_SERVER['REQUEST_URI']; ?>
</body></html>
This is a semi-dirty way of achieving this, however I tried several variations in Apache2.2 using mod_alias's Redirect and mod_rewrite's RewriteRule, neither of which I have been able to get working with a URL containing percent encoded chars. I suspect that with nginx you may have better success at a more graceful way to handle this in the server.
I have the following line in my page which is called whenever a change is made in the form (the change in the form is persisted and stored in session):
function persistFormDetails() {
$.post("<%= Url.Action<AvailabilityController>(action => action.PersistForm(null)) %>", $("form#availabilityForm").serialize());
}
The above is called from 3 different events happening on the page: $("select").change, $("#NumberOfNights").change, $("#PromoCode").change.
These are the only 3 calls to 'PersistForm'. This works most of the time, but >5% of the time, 'PersistForm' is called using get instead of post. Extract from our weblogs for a failed request:
2012-08-07 06:17:34 120.151.214.16 - HTTP 10.12.0.151 80 POST /availability/persistform - 302 1151 434 0 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+5_1_1+like+Mac+OS+X)+AppleWebKit/534.46+(KHTML,+like+Gecko)+Version/5.1+Mobile/9B206+Safari/7534.48.3 __utma=212581192.532115380.1343637559.1343637559.1344320319.2;+__utmb=212581192.1.10.1344320319;+__utmc=212581192;+__utmz=212581192.1343637559.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);+.BREAKFREEBOOKING=H7n50kf8yh2VLsbC2Czo6LALPpef1jqj4RtcC4l34Q-fA3WKG8dD5Dps9CFq2i3j-YEVMEH5qTh_b5f7IDRJ5NYeB28gBV_czMmGeSfnd26FHsw83WbwBpz2K3oAVYCg6dG_MiOKqrpn8ViaBizKMKXD4yw1;+stella_referrer=referrerGuestId=14076864270&additionalInfo=mantra_on_kent_24h_sale30aug12&referrerSite= http://m.mantra.com.au/check-availability
2012-08-07 06:17:34 120.151.214.16 - HTTP 10.12.0.152 80 GET /availability/persistform chkCookies=True 302 950 353 0 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+5_1_1+like+Mac+OS+X)+AppleWebKit/534.46+(KHTML,+like+Gecko)+Version/5.1+Mobile/9B206+Safari/7534.48.3 __utma=212581192.532115380.1343637559.1343637559.1344320319.2;+__utmb=212581192.2.10.1344320319;+__utmc=212581192;+__utmz=212581192.1343637559.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);+.testCookie=.testCookie;+.BREAKFREEBOOKING=H7n50kf8yh2VLsbC2Czo6LALPpef1jqj4RtcC4l34Q-fA3WKG8dD5Dps9CFq2i3j-YEVMEH5qTh_b5f7IDRJ5NYeB28gBV_czMmGeSfnd26FHsw83WbwBpz2K3oAVYCg6dG_MiOKqrpn8ViaBizKMKXD4yw1;+stella_referrer=referrerGuestId=14076864270&additionalInfo=mantra_on_kent_24h_sale30aug12&referrerSite= http://m.mantra.com.au/check-availability
Note the first call to 'PersistForm' does a post (correct) but then 302's (not sure why its redirecting). Then the very next call from the same user on the same session and time calls 'PersistForm' and this time its with get. Then we get an exception "A public action method 'persistform' was not found on controller 'MG.Mobile.Controllers.AvailabilityController'".
This makes sense as my 'PersistForm' action has a HttpPost attribute.
[HttpPost]
public ActionResult PersistForm(AvailabilityForm form)
{
var model = _availabilityMapper.MapViewToDomain(form);
_availabilitySession.SaveAvailabilityToSession(model);
return new EmptyResult();
}
We can't allow gets on this action as it posts a lot of data. As I said earlier, this only happens about 5% of the time (maybe less).
Any ideas on why I sometimes get a 'get' instead of a 'post' or why the call to 'persistform' 302's (redirects) sometimes?
This is for our mobile site and the problem has only shown up with iPhone (but this could just be coincidence as 75% of mobile visits to our site are with iPhone).
Interesting issue. I put some my assumption here.
What I can see is that you controller is Sessionfull. That means that each request locks the Session object, so multiple requests from same client are handled one by one (request is wait till the Session lock is released).
As soon as you got to much, server might reach some threshold so, redirecting the request.
Options to try:
For such heavy loaded API, it is better to go with Session-Less model.
Try to utilize ASP.NET MVC Async controllers.
I'm implementing a REST API using ASP.NET MVC, and a little stumbling block has come up in the form of the Expect: 100-continue request header for requests with a post body.
RFC 2616 states that:
Upon receiving a request which
includes an Expect request-header
field with the "100-continue" expectation, an origin server MUST
either respond with 100 (Continue) status and continue to read
from the input stream, or respond with a final status code. The
origin server MUST NOT wait for the request body before sending
the 100 (Continue) response. If it responds with a final status
code, it MAY close the transport connection or it MAY continue
to read and discard the rest of the request. It MUST NOT
perform the requested method if it returns a final status code.
This sounds to me like I need to make two responses to the request, i.e. it needs to immediately send a HTTP 100 Continue response, and then continue reading from the original request stream (i.e. HttpContext.Request.InputStream) without ending the request, and then finally sending the resultant status code (for the sake of argument, lets say it's a 204 No Content result).
So, questions are:
Am I reading the specification right, that I need to make two responses to a request?
How can this be done in ASP.NET MVC?
w.r.t. (2) I have tried using the following code before proceeding to read the input stream...
HttpContext.Response.StatusCode = 100;
HttpContext.Response.Flush();
HttpContext.Response.Clear();
...but when I try to set the final 204 status code I get the error:
System.Web.HttpException: Server cannot set status after HTTP headers have been sent.
The .NET framework by default always sends the expect: 100-continue header for every HTTP 1.1 post. This behavior can be programmatically controlled per request via the System.Net.ServicePoint.Expect100Continue property like so:
HttpWebRequest httpReq = GetHttpWebRequestForPost();
httpReq.ServicePoint.Expect100Continue = false;
It can also be globally controlled programmatically:
System.Net.ServicePointManager.Expect100Continue = false;
...or globally through configuration:
<system.net>
<settings>
<servicePointManager expect100Continue="false"/>
</settings>
</system.net>
Thank you Lance Olson and Phil Haack for this info.
100-continue should be handled by IIS. Is there a reason why you want to do this explicitly?
IIS handles the 100.
That said, no it's not two responses. In HTTP, when the Expect: 100-continue comes in as part of the message headers, the client should be waiting until it receives the response before sending the content.
Because of the way asp.net is architected, you have little control over the output stream. Any data that gets written to the stream is automatically put in a 200 response with chunked encoding whenever you flush, be it that you're in buffered mode or not.
Sadly all this stuff is hidden away in internal methods all over the place, and the result is that if you rely on asp.net, as does MVC, you're pretty much unable to bypass it.
Wait till you try and access the input stream in a non-buffered way. A whole load of pain.
Seb