While running jquery 1.3.2 and jquery-ui 1.7.2, we noticed some large number of requests on our servers. Upon further investigation, we discovered that jquery-ui datepicker object is the problem.
This is what happens normally: Once a user clicks on a datepicker object, the month/dates window pops up and allows the user to select a date. Each (available) date has a background image (same for all dates, except those which are marked as unavailable). In our case, the file of the background image is: ui-bg_diagonals-thick_22_1484e6_40x40.png. Thus, the browser requests the file from the web server and fills the dates with their background.
This appears in our logs like:
192.168.1.4 - - [13/Jan/2010:12:01:49 +0200] "GET /templates/images/ui-bg_diagonals-thick_22_1484e6_40x40.png HTTP/1.1" 200 259 "http://localhost/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
But the above is seen 20+ times and multiplies if we display more than one month in the datepicker object!!!
This effectively generates a small DoS attack on our server from a single IP address and that automatically bans the client's IP address on our firewall.
We tested with our own IE client, with cache ENABLED, to make sure cache wasn't disabled on the client side.
The issue appears in the following browsers: IE6
The issue does not appear in the following browsers: FF3
(not tested with IE7 and IE8)
Temporary solution: remove the background from date boxes
Permanent solution: pre-load the background image? figure out why the requests aren't cached? (maybe the browser doesn't wait for the first request to complete).