Firefox Mis-handles timeout notification #30
Comments
|
I just pushed a hack into the 1.1 branch which turns 408's into 508's for Firefox. Not sold on this approach - Kevin, please evaluate when possible. |
|
I wonder if a 408 is even what we should be using here. I reviewed the spec HTTP spec and it says
So, it our case it is more a server timeout, rather than the server timing out waiting for the client. Either way, I suppose the behavior of Firefox is technically in line with the spec, if a retry can be tried anytime. I think your approach looks good. |
|
Yea, it probably shouldn't be in the 400's, since they are supposed to be client errors... Not sure how I ended up with 508. I'm pretty sure I intended on using 504 - as that was the closest thing I could find to our error, but perhaps we should just use the generic 500. Firefox is at a minimum slightly wrong, because it never displays the server message to the user - which is supposed to happen in the case of all 400s. Even after 10 tries, when it finally fails, it doesn't show the error, and instead redirects to another server entirely... which is odd... |
Firefox is currently broken when it comes to handling a 408 Request Timeout response.
https://bugzilla.mozilla.org/show_bug.cgi?id=907800
So, if a user submits a query via Firefox which is very slow to process - and we time it out on the server and return the proper 408 error message - Firefox will immediately resubmit the same query again.
Worst case, we end up denial-of-service attacking ourselves, as we now start a second thread on the same query (while the first thread is probably still running too) and then repeat...
Perhaps we shouldn't send a 408 to Firefox. Or, perhaps we put some code in place to detect identical requests which come in immediately after one that we just rejected... though this would be trickier to implement.
The text was updated successfully, but these errors were encountered: