You are reading a single comment by @aggi and its replies. Click here to read the full conversation.
  • PIA is lying. No referer header is required. Not sure why they think it is.

    I shall do a test tomorrow morning on my other computer (the one with PIA on... this one is a media PC and isn't VPN'd).

  • Cheers. Connecting to PIA for the system works fine for posting, it just appears to be the Chrome add-in that causes the problem (same error on Win10 and Chromebook so OS doesn't seem to be an issue).

  • OK. Found it.

    So Django (a web framework that is used to power the front-end of Microcosm sites including LFGSS) does use the Referer header as part of the information that is hashed into the CSRF token.

    CSRF = Cross Site Request Forgery. Forms on HTML pages need to use such a token to ensure that other people cannot trick you into submitting forms as you.

    If anyone remembers on vBulletin when Ed Scoble put an image in a post whose image URL was the "Mark Forum Read" link... you'll know what CSRF tokens do. They prevent that.

    They work like this:

    • Visit a page with a form on, and the server generates a unique token
    • Submit a form, and the form contains the token generated earlier
    • When the server receives the form the token is checked to make sure it matches the one originally generated

    None of that requires the Referer header. But... Django clearly generates the unique token using that piece of information.

    Which means if the referer header is stripped, then Django can never validate the CSRF token and the server doesn't believe that you are the person submitting the form.

    Now... the PIA extension... it is being too aggressive.

    The sane and best way to approach Referer headers is to strip it when the domain is different. i.e. do not tell other sites which page you were visiting earlier.

    But what PIA is doing in their Chrome extension is stripping the Referer header even when you are on the same domain. This will break all manner of things: CSRF tokens, images on sites that have scrape protection, etc.

    This is a bug in their extension, not on LFGSS.

    You can disable this feature, but their documentation reads like you need to disable it every time:

    • "Extension Settings" > "Tracking" > uncheck "Disable website referrer"

    This will make LFGSS work again.

    A better thing to do is to not use the browser extension and to use the system application for PIA instead. But perhaps you do not have the ability to install that.

    I'll register a bug with the PIA extension and hope that they fix it.

About

Avatar for aggi @aggi started