While working hard at getting an application up and running for a lunch tomorrow, I ran into this annoying screen:


Access to the webpage was denied
Not really reading the message fully, I thought maybe my web server is throwing some sort of error that was telling chrome to stop the request. Quick google for “Access to the webpage was denied passenger” didn’t really return anything useful, however then I remembered that I switched to Pow a while back, so I google again for “Access to the webpage was denied pow” but that was even less useful.


So I re-read the message and followed the included link from the message and found this:


Chrome net internals httpThrottling
Unchecking the checkbox removed this feature.


Why this happens

Well it seems that chrome has a built-in DDoS protection, meaning that if a server returns a 500 type error, and you keep refreshing the page to see if it has been fix, chrome will actually stop you for a few second (The exact delay is based on how many times you’ve attempted to access the page “delay = initial_backoff * multiply_factor^(effective_failure_count - 1) * Uniform(1 - jitter_factor, 1]“. Get more info at: http://dev.chromium.org/throttling). This intern stops you from putting extra load on the server while (hopefully) the app is getting fixed.

Why this is an issue for me

Now I think it’s great that chrome attempts to stop (probably unintentional) DDoS attacks, but it should really ensure that local requests don’t fall under that protection. I am a developer and I’m trying to fix a local app, which is throwing a 500 error, and I refresh frequently to see if I’ve been able to fix it but when I am delayed before able to see my results, it’s just very unproductive, especially when the delay gets longer with the increasing number of refreshes.

That’s just my thoughts on this. I’ve already let the Chrome team know about this issue. Let me know if you’ve had a similar experience.

UPDATE (Nov 2, 2012)

I just got an email from Jói on the Google Chrome team and he says:

From version 13 onwards, Chrome should not throttle any requests to localhost or its many aliases (localhostv6,, ::1 and so forth).  You can check your version by typing about:version into the address bar, but it’s highly likely you are on 14 or later.

On the other hand, it is very difficult for Chrome to distinguish that a domain name or IP address other than the ones universally recognized as being the local loopback address actually points to the local server.

And so it seems because I’m using Pow and my URLs look like http://myapp.dev, chrome is unable to determine if this is a local request and therefore kicks in the DDoS prevention.