Forum Discussion
Edge on iOS has broken cache management, causing DoS-like traffic to websites
Hello,
This post is a last-ditch effort to get someone's attention before we completely block Edge on iOS from accessing our website. It is unacceptably difficult for a website operator to report broken browser behavior to Microsoft, both in general and compared to every other browser vendor. With that out of the way...
Edge on iOS, at least in version 114 but it could be older, has essentially broken browser caching and tab refreshing behaviour, which causes it to more or less DoS websites.
An image is worth a thousand words, so here's the traffic from 1 single user using this browser to 1 single CSS file:
All within a 4 minutes window, this user fetched this CSS file 66 times. And yet:
$ curl -sI -XGET https://mangadex.org/_nuxt/Textfield.9cb560ad.css 2>&1 | grep 'cache-control'
cache-control: public, max-age=31536000, immutable
So we get to be on the receiving end of random single users chugging sustaining 100s of requests/s despite a pretty explicit cache policy, for every single CSS, JS, image, ... asset of our website.
The HTTP spec might not mandate that clients respect cache headers, even browsers, but I have to assume that this is a bug given how utterly broken this is for users. And in turn, effectively results in DoS-like traffic to our website. And thus automatic IP bans of said users.
Now if I were to guess, this is likely because Edge on iOS triggers non-user-driven refreshes of inactive tabs, in parallel, and without any by-origin request coalescing. ie: this user probably actually happened to have exactly 66 tabs on our website open.
The fact that these conditions can occur at all on a mobile browser, with compute/network/battery constraints, is however extremely concerning:
1. Refreshing inactive tabs without human interaction (with the per-user rates and the # of cases we have on hand, this one just pulled at-random from our last hour of logs, this is definitely too fast and senseless for a human to have actively done)
2. This aggressively triggering automatic tab refreshes (which shouldn't exist in the first place)
3. And still not having request coalescing per-origin at the very least (there is at least 2 minutes between the first and last fetch here; that ought to be PLENTY of time to have cached the response)
Now we scoured through the MS docs to try and find a better place to report this, and as far as I know there literally doesn't exist a way to do so. And please don't suggest the following:
- installing Edge on iOS myself to try and report the bug from my phone: I am not an Edge on iOS user, it is not my responsibility as a site operator to go THIS out of my way for it
- having to come all the way here, making a Microsoft account and forum profile: same reasons
Get a proper, neutral, contact method for website operators (this means a form, an email address, or a GH repo). Your browser DoS-ing us is not okay.
Also, we tried one of the only adjacent-ish GH repos of MS, whose team told us they would forward the message, which they didn't (can't blame them, it's not their job and they actually bother having a way to be contacted to report issues) or were ignored.
Finally, this is looking a lot like an issue Firefox on iOS had a few months ago. I don't know if Apple's web APIs are this misleading or it is a coincidence. But they fixed it, so there must be a way for you to fix it as well. ie this isn't some kind of iOS system limitation.
As for this post, we can see two ways forward:
1. This gets acknowledged as a bug promptly. Then we wait for a fix.
2. This doesn't, so we move on to serving some specific HTML page asking users of Edge on iOS to use a browser that has sane operation and issue reporting
No but seriously, fix your bug reporting process. This part of this is just as bad as the browser being half-broken.
Regards
6 Replies
- While we didn't expect much, it's still quite sad to see that Microsoft won't even bother acknowledging a bug causing a browser of theirs to DoS websites.
Given we keep suffering from complaints from affected users of ours, and seeing our limited network/IT resources wasted as a result, we will start serving a custom page to affected users linking them here.
If this proves useless too, we will consider straight up blocking the associated user-agents altogether.
Regards" we will start serving a custom page to affected users linking them here"
MTC - is a Public Forum that is not a Microsoft technical support.
In order for the end user to provide valuable feedback and attach diagnostic data so that this can be checked and fixed, please - Alt+Shift+I.
Description and behavior ( comparison, etc. - without diagnostic data is useless)
Regards, of course, I do not work for Microsoft.
> MTC - is a Public Forum that is not a Microsoft technical support.
Yes, too bad Microsoft does not have any technical support nor bug reporting avenue for websites experiencing bad browser behaviour from their browsers. Which is exactly what I wrote multiple times in the post as well. Please read it first.
> In order for the end user to provide valuable feedback and attach diagnostic data so that this can be checked and fixed, please - Alt+Shift+I.
I attached all the relevant diagnostic information necessary. This happens on Edge on iOS in unpredictable ways. There's no Alt+Shift+I there. Nor is it our job to gather client-side browser debug logs for Microsoft when we're a website. That said, my original post is once again **very** extensive in technical details already. Once again, please read it first.
Regards
