If you want a better server-side solution, you could try employing mandatory idempotency tokens in the request payload. The concept is simple: either have the server give the client an idempotency token as part of the page load, or have the client request one at some point, or have it be something that can be generated on the client side (nonce style) and send it with the request. The server can then validate, using some strongly consistent system, that it has not received any requests in a certain window of time with that token. (Or, possibly, react with the existing response.)
This has an additional benefit that even methods like PUT do not: it works no matter how many layers of your stack might have retry behavior (properly or improperly) and enables safe retry even when you can’t be sure if the request went through or not. The primary downside is that it introduces a single point of failure, though you could theoretically shard it by some property of the request such as the session key/user id/IP address. Still desirable if you have something you really don’t want to repeat, like a transaction. (Probably would be wise to also make those multiple stage, but nonetheless.)
Goes without saying you should definitely still mitigate this on the client side by updating the UI state if JavaScript is available.
AFAIK typical CSRF token implementations allow for reuse, and unlike an idempotency token necessarily need to be generated by a trusted server. They solve a different problem.
Interestingly, the only persons I've ever seen doubleclicking in the web are from my parent generation (>60, >70 years old).
Also since 2015 the mobile adaption increased more and more. On mobile devices, the "double tap" concept never was very important, I think (at least not in the web context).
Therefore my feeling is that this issue is mostly a thing from the past.
Nevertheless I sometimes see forms which implement this "disable after submission" principle. Especially when it's about money, such as when booking a hotel or flight, etc.
I've actually heard people verbally use the word "doubleclick" to mean explore. For example, someone in a meeting might mention some idea. Then my colleague would say "let's doubleclick on that for a minute".
Where I am people use "doubleclick" and "tripleclick" as nouns to represent specific levels of detail. As in, "I think we've got a good story for the doubleclick but I want to hear more about the tripleclick on Topic X."
This is something I usually take care of by throttling the relevant event listeners (in an AJAXed site) but the way this article puts it makes me wonder if this is as easy as globally disabling double clicks on links and buttons:
document.addEventListener('dblclick', event => {
if (event.target.closest('a, input, button'))
event.preventDefault()
})
Would be careful with this (if it works), double clicking can be used to select text, which might turn out to be annoying when disabled in non-button inputs - certainly on mobile I use it a lot.
If the client-side solution is so simple, what's the problem? There are many things on the web where, if given a clean slate, it would be nice to change the default behavior. This doesn't seem to rise to the top of that list.
The proposed solution (an HTML attribute to 'allow' double-click submissions of <form>s) is backwards from how the standard would be updated.
The proposal should instead be for an attribute that prevents double-clicks, because that way browsers that have not implemented it still behave correctly. Additionally, you don't "break userspace" for millions of forms online that no longer work as the developer intended.
However, I'm skeptical that we need to encode this at all into the standard, since setting the `disabled` attribute on the submission button after submission is pretty much test case #0 of any serious online form development.
Amusingly, things have gotten a lot better since 2015 when this was written. That blob of JQuery is now replaced with binding the `disabled` attribute to `isSubmitted` state on your React-based webform. An interesting glimpse into the web-that-used-to-be.
Except that for the overwhelming majority (admittedly not literally all) of those forms, no-double-click is how the developer intended them to work. If anything, I call [citation needed] on the implication that there is any <form> anywhere that actually expects or relies on double-clicks producing two different HTTP requests.
This has an additional benefit that even methods like PUT do not: it works no matter how many layers of your stack might have retry behavior (properly or improperly) and enables safe retry even when you can’t be sure if the request went through or not. The primary downside is that it introduces a single point of failure, though you could theoretically shard it by some property of the request such as the session key/user id/IP address. Still desirable if you have something you really don’t want to repeat, like a transaction. (Probably would be wise to also make those multiple stage, but nonetheless.)
Goes without saying you should definitely still mitigate this on the client side by updating the UI state if JavaScript is available.