New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Form Submission: Fix the "Double Submit problem" at the spec level #5312
Comments
To be clear, even if this were added the backend would still have to account for double submissions as network conditions might also yield multiple POSTs. Adding this might in fact lead to less robustness as it's no longer as frequently observed. |
Serverside/backend validation and checking is always necessary, as requests can also originate from outside of the browser (e.g. curl). This proposal/request isn't meant to replace serverside validation (which it can't) but only to try and prevent the user from doing wrong things (which they do). I like to compare it with |
I can't see option 2 being accepted. Adding a new feature is one thing, but changing the default behavior, especially of a very old feature, is a much bigger deal. Working off the first suggestion then: I think it should have multiple values instead of just is it there or not. For example Also, how long until the form can be submitted again? Until the request response arrives, after a certain amount of time, until the page is reloaded, until a new session is started? |
Adding to the log here that yesterday this issue sparked up again with some devs. I've collected the thoughts expressed both here and on Twitter in a blogpost over at https://www.bram.us/2020/11/04/preventing-double-form-submissions/ |
I personally fix this problem in the HTML layer with some sort of timestamp or nonce in a hidden input, so the <form method=post>
<input type=hidden value={{resubmitSentinel}}>
<!-- … -->
</form> It’s a little annoying to set up (the hard part is figuring out how to generate Maybe this proposed attribute could automatically attach a browser-provided nonce? Something similar to the magic |
The other day I wondered: Why is it that browsers don't prevent double form submissions by default? Some users (mistakingly) double click on submit buttons, or re-click a submit button when a request takes up a long time. This way the backend might process certain transactions twice (or more, if the user submitted multiple times).
To work around this on the client we have to rely on JavaScript (which might not be available):
An attribute on
<form>
to tweak this behavior – instead of having to rely on JavaScript – would come in handy and form a nice addition to the spec.I see two options to go forward:
preventmultiplesubmits
attribute.allowmultiplesubmits
attribute.My personal preference goes to the second option, as it's a safe default and a courteous thing for browsers to do:
If you search for "Double Submit problem" on a search engine you'll find lots of posts regarding this topic — it's an active problem that lives with developers. The post https://ma.ttias.be/double-clicking-on-the-web/ stood out to me, as it also involves user behavior.
The text was updated successfully, but these errors were encountered: