Yeah that's true, I was writing this from my lunch break in a hurry and this was sloppy/wrong.

What I have actually opted for so far in SPAs and other JS form submits is to show a loading indicator inside the button tag, and ignoring the function call as long as a request is pending.

Sibling comments and the article suggest equivalent solutions.

Re sync form submit:

OK, it is still possible to trigger double submits, youre right.

I'd argue that 99% of the users notice their browser's native loading indicator though. Also I have personally experienced the "do you want to submit this POST request again?" popup for spamming form submit buttons without manually reloading the page, but I'm not sure how reliable that is or what the preconditions are.

This being possible is directly caused by browser trying to appear faster by not replacing the current page until they can start rendering the next one. Like with bfcache, vendors do their best to make full page reloads feel like an SPA if the site performance allows.

Which brings us to the only sane answer: if you need to reliably prevent double submits against malicious or clueless users, you need to act on the server.

You can't de-duplicate HTTP requests with client code.