Original:
Bug description: Page A is accessed directly, Click something on page A goes to page B, Press back button back to Page A, And simple html elements on Page A will stop working with Safari.
How IOS 15 Backbutton works in a nutshell, onclick="history.back();"
Very sloppy at best for a trillion dollar company's browser, FYI this bug only happens in https not http, Does anyone know what exactly in Django 4 causing this bug?
New:
Not just Django, Any secure web framework would have this "Bug" with Safari by default, This post could have save someone hours or days of trouble in the future, See answer below.
CodePudding user response:
That would be a Safari problem, It's an origin issue, So heres what happens in a nutshell, When that Safari back button is clicked, If you notice carefully, It might still display https but that lock is gone, In Django 3, The default SECURE_CROSS_ORIGIN_OPENER_POLICY
is None
, And since Apple decides to save budget on it's browser, As a result, The back button gets one line of coding that is virtually equivalent to history.back()
, And in Django 4 the default SECURE_CROSS_ORIGIN_OPENER_POLICY
is set to same-origin
, And Thus, The Bug, All thanks to Safari being a cost-efficient browser.