Wordpress handles 404s really slowly? I'm kind of surprised it works at all then, as at least in my logs there's a very steady stream of bots probing it for vulnerabilities by trying random URLs.
It may intentionally 404 slowly? One web service I worked on added a few hundred milliseconds delay in returning 404s to slow down this kind of probing attack
Ooh, that's a good idea actually. But it doesn't explain this:
> If I click enough, I’d eventually see HTTP 503 Service Unavailable.
That normally only happens when the reverse proxy has a timeout, which would normally only happen when the backend was completely overloaded.
Unless WP has an exponential delay, and the 503 is just the exponential delay becoming longer than the reverse proxy timeout? But why would the main page that the guy is loading say 503, when random non-critical parts like favicon.ico get a 503?
Unless the exponential delay is per IP address -- so all the misses to favicon.ico are actually slowing down the main connections past the reverse proxy timeout?
EDIT: Actually, no, they have graphs of the server actually spiking memory and CPU usage; you'd expect intentional exponential delay to reduce memory and CPU usage.
I managed to get around it with litespeed Cache which does cache 404 pages. I was previously using WP Super Cache which does not. Note I also wasn’t running a CDN so there’s no reverse proxy cache either.
Over time, I found that BetterLinks was slowing down my site significantly (600ms) . It wasn’t like this when I first investigated. It became slow over the course of a year or so. I ended up replacing it with Simple 301 Redirects. I think this is a separate issue though, unrelated to my original overload, but looked very similar to when Firefox DOSed my site.
I experimented with CDNs to cache things reverse proxy style as a catch all. Eventually I caved and enabled Cloudflare CDN because QUIC.cloud kept having problems where a POP node kept hitting 403 Forbidden. I’d say the site is pretty functionally performant now.
I think most sites that claim Wordpress handles high loads really well have at least two layers of caching in front of it and are running on dedicated boxes. Remove both of those and suddenly it’s super easy to DOS.
Another common DOS exploit is to repeatedly spam the Forgot Password form, since there’s a lot of guaranteed processing with that and it’s not cacheable. I hid mine behind a captcha which helps a lot.
It's an open source project, with a good discussion of the technical issues on GitHub[1]. Probably linked to certain user behaviors, like having hundreds of tabs open, but surely also contingent on the complexity of wedging a browser in iOS. Like maneuvering an excavator into a sandbox.
I also wonder how these requests "beat the shit out of the web server." It's requesting the feed and the favicon, both of which could be cached by a CDN. Even if they aren't, how much traffic are you gonna see from this compared to some other page trending on HN? Wasteful, sure, but hardly that big a deal
In this case, using a CDN in front of the server is the thing which would improve things for people with limited bw/hw more quickly and to a greater extent than counting the fetches by Firefox on iOS and calling it out for fetching too much
I feel like this is a marketing meme by cdn providers that gets parroted a lot.
As someone who has used CDNs vs hosting on the server directly, CDNs are slower to load the images especially when there is a cache miss. The only reason I’m using a cdn is because I need to host 100gb+ images. If it wasn’t for that I wouldn’t use a cdn and get a better experience on the site.
>In this case, [X] would improve things more quickly than [Y].
Maybe so, but more importantly why are you phrasing this like it's an either/or choice?
"We, the developer community, contain multitudes." Clearly we can (and should) do both.
Besides the obvious benefits at the higher community level of organization, deploying both solutions will result in even less bandwidth and power wasted from this specific bug than using either solution by itself.
Why should you need to provision a CDN when If-Modified-Since / Etags exist?
I get that not every client is well behaved, but you'd hope that Firefox would be, given Mozilla's presence in web standards.
(Which, tbh makes me think this issue is the "on iOS" bit, given it's Firefox. I presume Apple still has their "only Safari's rendering engine" rule in place for... ...reasons)
A CDN caches across users, lowers latency by having servers closer to the user, and lowers the bandwidth your server needs to handle. Cloudflare CDN has a free tier and I assume others do, too, so it's fairly easy to provision.
They probably have to write a totally different fetching logic for the Safari wrapper. If Apple wasn't as scummy as they are, they would have used the same logic as in other platforms where this problem doesn't seem to exist.
I opened the Github issue linked. For us it represented, at times, thousands of requests per second across multiple users. And that was with affected users getting IP-banned temporarily.
Some of which were 404s which you typically absolutely do not want cached. Or 405s (on HEAD /favicon.ico for example). Or 429s. Or 403s.
Browsers are expected to:
1. Use the favicon specified in meta if any (we do have one, /favicon.svg)
2. Respect cache headers (immutable + multi-months max-age)
3. Not make completely random requests to things they should ignore (such as OpenGraph tags)
Yes CDNs do help with these kinds of issues, but they absolutely do not fix them all. Which is why even though we have a pretty damn elaborate setup in that regard we were being annoyed by the issue.
But also Firefox on iOS should be not-completely-broken.
Pretty weird to think that running a web server also means you should operate "a geographically distributed network of proxy servers and their data centers".
I also think it's pretty weird to defend thoroughly defect software with "waste ful, sure, but hardly that big a deal".
This why in a lot of contexts it would be good to at least be micro catching them.
If they were cached for 5 seconds it would have covered all subsequent requests.
I can easily have hundreds of Chrome tabs open, and none of this happens. I can have hundreds of tabs inadvertently open in iOS Safari, and none of this happens.
Would you kindly refrain from blaming users for what clearly is a bug in the application?
Just yesterday I blocked the bots from my blog using this[1]. Of course whether these bots respect robots.txt nowadays is a different question altogether
Firefox on iOS has about 200k lines of Swift. As a rough rule of thumb, everything that isn’t directly related to rendering something within the page or executing JavaScript is Firefox code not WebKit code. So bookmarks, syncing, tabs, etc.
Given the seriously negative sibling comments, I thought I'd weigh in with my own experience. I'm unaware of anything behind the scenes, but I've always enjoyed the user experience in Firefox on Android, at least for the last couple years before the rewrite. I don't like browsing the web on my phone, but it's made it bearable.
I can't speak to the problems behind the scenes though, and they certainly merit attention.
Firefox on Android is a godsend to me, and the secret is that I can install uBlock origin and noscript on my mobile. I get a whiplash when I see someone else browsing the web without these, it is absurd how much attention people will allow to be just stolen away.
Firefox on Android is NOT amazing. For MANY YEARS the user agent included the exact model of your phone. They seem to be incompetent. (Edit: this is a bit harsh, and to clarify, directed at the company and not any specific people in their employ.) Exactly what Google wants -- plausible deniability when it comes to monopoly, but an awful alternative.
Absolutely. I was an Android user for years and got an iPhone as a gift in 2022. On Android, I used Firefox with uBlock Origin. Mobile web browsing is not the best experience regardless, but that made it tolerable.
The worst thing about the iPhone is the web browsing experience in Safari. It's awful. The ads totally ruin it. The rest of the phone is fine, I still prefer Android but that's most likely just because it's what I started with.
There are adblockers for iOS - I’m using 1Blocker with Safari. Genuine question: Are the iOS adblockers limited in some way that make them inferior compared to what you were using with your Android phone?
The only adblocker I have used is uBlock. I don't really know how adblockers work for Safari, it doesn't seem obvious. I don't like installing apps, and it seems that they are mostly apps?
I think the main thing is the point is the adblocker is in there. And as another poster pointed out, they do use the webkit engine, but they can do lots of things besides that to improve the browser from “reskinned safari” like lots of people seem to be claiming.
That's fine, but that is moving the goalposts. GP said that Firefox is so good on Android because it's important to have ad blocking, and Brave meets that need just fine.
..on their search, not the browser. That's like saying Safari has "anti-privacy/adtech builtin" because Google is their default search engine. You just switch to a search engine of your liking.
No it's not. It's slow and buggy. You can also use an adblocking DNS like AdGuard and have adblocking system-wide. Yes I know uBlock blocks a bit better but DNS-blocking suffices. Also, there are other browsers with integrated adblockers based on Chromium.
It's not "a bit" better. uBlock can tell a difference between seeing an ad from network X and going to the website of network X. It can block ads hosted by the owner. It can allow you to click a tracking link from an email while still blocking ads on the target website. Finally you can unblock something as a one-off without disabling the system for the whole device/network. The quality difference is huge.
Not ever had Firefox for android be slow and buggy for myself! I've been using it in place of chrome on my phone for a good year. Honestly everyone keeps talking about how FF is "slow and buggy" and it has NEVER given me issue :/ why is my subjective experience so different to your subjective experience?
Meanwhile chrome/chromium is the one which is most likely to cause me GPU driver crashes, but that's because I use it for fun VR and "let's see how big I can make textures" experiments. Generally it manages a higher frame rate than FF in that context with stability as tradeoff.
There could just be a difference in hardware. I'm a Firefox user but there is a noticeable difference, just not one that matters much on a top tier soc
Loading JS heavy pages like Twitter on Firefox Android is way slower than Chromium based. Very noticeable on 2019 hardware, less so but still on 2022 hardware.
Ah, fair point. I'm on a pixel 6, so I have a privileged perspective that like 90% of smartphone browser users don't have because fairly new and fast SoC with a good amount of memory. I hadn't considered how much a difference that makes, because conceptually in my head "it's just webpages!" like we're still in the early 2000's
But is completely Firefox fault? Some companies just test compatibility and optimize with Chrome in mind, forgetting that sometimes some browsers (Firefox as well) dont respect some standards. Or even adding some features only available in some browsers.
Yes, is not as bad as it was in the 90s or 2000s, but is still a common issue
What's the user visible tradeoff between "an average page is so laden with advertising and tracking nonsense that it loads slowly and is covered with crap, but that crap all renders real fast" vs "JS renders at 1/10th the speed but only the stuff you want to look at?"
I use Firefox on a ~2020 era Android, and not even a particularly great one at that. Works fine for me aside from a very few badly written sites, and certainly not any shower than chrome.
ublock makes sites like imgur usable. it's trivial to add a nice rule that deletes all those login via social media buttons just as one example of what the hosts file can't do.
You've been downvoted but I would like to echo this comment.
I use Firefox mobile daily, I occasionally have to switch to Chrome for some things. I choose to continue using Firefox Android because of the ability for greater privacy.
Firefox android is slow and buggy.
It is especially terrible if you are not in the habit of closing open tabs and just open new ones. As a concrete example, it often seems to run out of memory, causing issues such as Reddit not being able to load videos. They tried to fix this by more aggressively moving older tabs to an 'inactive' tab area, but it didn't work.
It at least feels badly written, saying that as an experienced developer myself. However, I know browsers are one of the hardest things to make, so perhaps it is just averagely written. But it is nowhere near Chrome's level of competence.
The new UI is awful too, I still hate a lot of design decisions and feel it was a bad mis-step. The old UI was just better. Again, I emphasise I use the browser daily and I say this with plenty of time to get used to it.
> It is especially terrible if you are not in the habit of closing open tabs and just open new ones.
I just closed a bit over 2,000 tabs on my old phone because I was switching phones. I recall reading a couple of other comments here in HN and seeing a couple of comments in reddit of other people having thousands of tabs open.
Slow and buggy has NOT been my experience.
I use uBlock Origin addon though, maybe that's the difference? I bet resource-hogging ads could be an issue.
Edit: I also had "studies" turned off. Perhaps you were in a study that was testing something that caused those issues? (That's why I don't like default "studies" or A/B testing.). Or maybe something else (physical or software) on your phone is damaged/defective, perhaps even your installation of the Firefox app got borked?
No, it's happened on two different phones over the last 2+ years. And two completely different phones, Xiaomi and Pixel.
I do wonder how you know you closed 2,000? The UI displays an infinity symbol over 99 tabs. If you had so many open, most of those would have been moved to inactive. The inactive tab section doesn't have a count and has a button you can click to close all.
Makes me sort of wonder whether you are actually using it.
There's an option to turn off the inactive tabs feature.
Trying to "share" all of them will crash Firefox, so I manually select 100 and share those, then close those, repeat 20 times (which is how I know how many tabs I had open).
It's just par for the course for Firefox users to deny any problems with the browser and blame it all on Google. Not to mention the history revisionism on why Chrome beat Firefox. I was a huge Firefox fan with a heavily customized browser and then Mozilla removed everything. The biggest enemy of Firefox is not Google, it's Mozilla and their incompetent leadership. They need to focus on their Android browser ans invest heavily because that's where the biggest user base is. I don't want them to abandon Gecko, but it's clear that Mozilla can't keep up.
The other day I found out my mobile user agent string also included the kernel build version. Way to see which, if any, exploit would be effective for the device's patch level. Thankfully it has a spoof option so I now use that to send a correct, but slightly stripped, UA string
I keep thinking I should switch to Firefox but the current ux is just so comfortable
To address this, we will measure Telemetry Coverage, which is the percentage of all Firefox users who report telemetry. The Telemetry Coverage measurement will sample a portion of all Firefox clients and report whether telemetry is enabled. This measurement will not include a client identifier and will not be associated with our standard telemetry.
Even if you turn telemetry off it will still call home
>...directed at the company and not any specific people in their employ.
They are the same thing, until you get to the upper levels, that own the place ie 'take full responsibility'.
We are fa-mily.
Until the shit hits the fan.
iOS requires a browser to use the OS-provided WebKit, but you can still use your own networking layer, and doing your own scripts injection (e.g. for extensions, like what Orion is doing). Firefox for iOS used to use Alamofire as its networking engine, but switched over to NSURLSession/URLSession at some point. Chrome for iOS uses Cronet which was extracted from Chromium's networking stack (or maybe used, I have not followed the development recently).
No one is splitting their codebase for a single market if it doesn't make business sense. For a nonprofit with limited resources, I don't think it would make sense.
> I thought firefox on ios was just safari with a reskin
It is. It does avoid some of the tracking/ad content, so I guess it does do some things somewhat differently. But if it's such a scourge, add a favicon.
BTW, I've never seen this, and I regularly use Firefox on iOS to test.
I'm another who loves firefox on android. It annoys me that to some degree Android forces chrome on you, even if firefox is set as your default. The full plugin support that got added in the last year really took it up a notch too.
My experience with Firefox Nightly for ~1 year below. Ironically, the nightly sounds more consistently stable than the current release build then!:
* Never had this tabs problem
* I can see about:config
* Bookmarks are fine and there's no mention of Pocket. Bookmarks show up ON the homepage, but yeah not being able to set a bookmark / any URL AS a homepage is a bit of an annoying feature lack
* URL completion works as I expect it to, although it does bug me how it strips the protocol from the URL so I have to manually type in `http://` for plaintext sites even when I've visited them before; depending on who you ask that is considered a "security feature" but kinda annoying. Other than that, I start typing in a URL and it shows me suggestions from my history followed by option to use my preferred search engine to search it.
All in all, I've not really felt FF (even nightly) be particularly different or unstable to using chrome.
Second comment I've made in this thread where I'm replying (ever so helpfully) "Huh, but it works for me" so I'll stop now :-). I promise the Mozilla Foundation aren't bribing nor blackmailing me.
I don't remember seeing Pocket, so I went back to the settings to look. There's an option to have "Thought-provoking stories" which in smaller text says "Powered by Pocket".
Considering I didn't even realize it said Pocket the first time around, I think bookmarks are more prominent over Pocket, so I don't see bookmarks being demoted in favor of Pocket.
For a while, bookmarks were demoted in favor of Collections, a jankier version of bookmarks that didn't sync properly to desktop and included a button to open all of them at once in multiple tabs.
Collections are still there, but they've made it easier to use regular bookmarks too, so now Firefox for Android just has two versions of bookmarks in it for some reason.
Entirely unrelated to Pocket, as far as I know, except in the general sense of Mozilla having bad ideas related to bookmarks.
How? For me the closest thing I can get is "recent" bookmarks, but if you didn't bookmark a page recently it shows nothing at all, not even a link to all bookmarks, on the new tab page
Pocket is the worst. It tried to get me to read some article where the author was whinging that her daughter was pretty and people were complementing her as such.
I don't understand her point. I guess that she's uncomfortable with human aesthetics? Why would being pretty require sacrifices in health and self-respect? One of the largest factors in looking good is being in good shape/physically healthy. Avoiding skin damage from UV is also a big one. Why would you lose self-respect for looking good?
The author of this site usually takes pains to obfuscate whatever big commercial entity she's talking about who did dumb stuff. But when it's Firefox, she names names. Huh.
I remember something similar with Internet Explorer back in the day, where it would ask for the favicon (which we didn’t have setup at the time) so our 404 page would be returned, which then seemed to trigger another request for a favicon. (╯°□°)╯︵ ┻━┻
Only in the EU because of that ruling. IIRC they are not implementing the requirement elsewhere (though they might eventually if the difference gets sufficient bad press or becomes technically inconvenient).
I think it use to display a downsized version of the image.
The use case is this: I drop the icon in a folder and never look back. It just works. Why would I want an additional approach?
> These can be solved by
> <meta favicon=./user_favicon.ico>
> or something.
There is nothing to solve, it already works, the line has no advantages but it does have "or something" disadvantages.
Your memory is no doubt better than mine but you didn't remember how the tag worked. <meta> is for information about the document <link> is to describe relationships with other things. You've also left out the quotes.
This is the correct way of having an extra line of code that does nothing.
For fun someone thought it a good idea to also have rel="shortcut icon" I'm picturing a room full of applauding people. (Who had nothing better to do)
image/x-icon isn't really correct, x- is for experiment, it should be type="image/vnd.microsoft.icon"
Browsers accept anything in the attribute. They also support not having a type. But if our goal is to have superfluous lines of html we should definitely go with the correct IANA mime type registered in 2003.
Redundant link headers also sounds fun!
Maybe in the future there will be new fixes for problems no one has?
If the url is server.com/users/jsmith/hobbies/fun/photography.html then how many directories should be probed for a favicon?
Is that also the correct behavior for trying to identify a favicon for something like docs.oracle.com/javase/8/docs/api/org/xml/sax/helpers/DefaultHandler.html
Though they aren't common enough that it needs to be a built-in, especially as you can already specify a page specific icon via a link tag in your page's head which every up-to-date stable browser has had support for since 2010 or before (ref: https://caniuse.com/?search=link-icon).
Yes? Other people had already mentioned some in this thread.
Generally: Any circumstance where you might want the icon to change per section/page/app rather than per (sub)domain. Do you want me to enumerate all possible combinations of web server configuration and tick the ones that applies to?!
For one: perhaps you host several tools off the same domain name, either literally on the same web server or via a proxy arrangement. As I said, these circumstances aren't all that common, and when they turn up I doubt the right favicon being use is going to be something you'd care about overly, but I wouldn't be surprised to find there are circumstances where it is important enough to someone.
I occasionally get this from some sites. Sometimes switch to safari or reset Firefox fixes it.
I use Firefox as a quick lookup because the tabs crash often and it hardly ever saves the websites I was on when re-opening. So far I have crashed safari and lost all my tabs once ever. Firefox focus does a pretty good job too for quick lookups.
I get it, everything adds up and over millions of page-loads there will be a bit of wasted bandwidth. But it seems the original author blew this issue out of proportion with this post. Why even be annoyed by such a minor issue?
> And yet, this thing decides to beat the shit out of the web server while trying to get it.
This is an exhorbitant exaggeration. They are duplicated requests for a favicon. Not only is that a tiny resource, most of these requests are 404ing which is cheap. And even if it isn't 404, your favicon is a tiny static asset, it should either be served by CDN or in the server's filesystem cache anyways.
Title implies that this article thirdly explains how to waste annoying sysadmins, which is an entertaining prospect.
Are we talking about not putting annoying sysadmins to good use? Or are we talking about, you know, makin sure they don’t cause nobody no trouble again, boss?
> First up, why in the hell do you need to request the same link 12 times? No, scratch that, 15 times, since it does 3 more after getting the css and feed icon.
It makes a debouncing. It compares the result with the previous to be sure it is OK. /s
This isn't a very constructive post. Are we supposed to believe this is the only inefficient and buggy software out there? Seems weird to call out a particular project like that.
This isn't a very constructive comment. Are we supposed to believe that one can never criticise any piece of software, ever, on the off-chance that some other piece of software, somewhere, once contained a similar issue?
I'd just like to interject for a moment. What you're referring to as Fell Good culture, is in fact, toxic positivity/Feel Good culture, or as I've recently taken to calling it, toxic positivity plus Feel Good culture.
Basically Firefox loaded favicons 4x the number of tabs opened to that website. It would do this every time I opened or closed any tab.
https://aggressivelyparaphrasing.me/2022/12/12/why-does-my-l...
It was resolved a while back so maybe it’s similar symptoms but different root cause, or maybe it’s people using older versions?