-
OK. Found it.
So Django (a web framework that is used to power the front-end of Microcosm sites including LFGSS) does use the Referer header as part of the information that is hashed into the CSRF token.
CSRF = Cross Site Request Forgery. Forms on HTML pages need to use such a token to ensure that other people cannot trick you into submitting forms as you.
If anyone remembers on vBulletin when Ed Scoble put an image in a post whose image URL was the "Mark Forum Read" link... you'll know what CSRF tokens do. They prevent that.
They work like this:
- Visit a page with a form on, and the server generates a unique token
- Submit a form, and the form contains the token generated earlier
- When the server receives the form the token is checked to make sure it matches the one originally generated
None of that requires the Referer header. But... Django clearly generates the unique token using that piece of information.
Which means if the referer header is stripped, then Django can never validate the CSRF token and the server doesn't believe that you are the person submitting the form.
Now... the PIA extension... it is being too aggressive.
The sane and best way to approach Referer headers is to strip it when the domain is different. i.e. do not tell other sites which page you were visiting earlier.
But what PIA is doing in their Chrome extension is stripping the Referer header even when you are on the same domain. This will break all manner of things: CSRF tokens, images on sites that have scrape protection, etc.
This is a bug in their extension, not on LFGSS.
You can disable this feature, but their documentation reads like you need to disable it every time:
- "Extension Settings" > "Tracking" > uncheck "Disable website referrer"
This will make LFGSS work again.
A better thing to do is to not use the browser extension and to use the system application for PIA instead. But perhaps you do not have the ability to install that.
I'll register a bug with the PIA extension and hope that they fix it.
- Visit a page with a form on, and the server generates a unique token
PIA is lying. No referer header is required. Not sure why they think it is.
I shall do a test tomorrow morning on my other computer (the one with PIA on... this one is a media PC and isn't VPN'd).