[rt-users] Restrictions and limitations on use of ReferrerWhitelist, RestrictReferrer, RestrictReferrer (cross-site request forgery warning message)

Duncan Napier dgnapier at sfu.ca
Mon Oct 21 18:30:08 EDT 2013 

Hi,

I have an RT 4.0.8 server that uses External Authentication (CAS) and has multiple aliases. I run mailgate, but as a policy, all ticket creation/submissions by regular (unprivileged) users are done through the /SelfServe webpage. Someone has requested that I allow the use of "ticket templates" for certain types of ticket submissions, eg via a website or email hyperlink. For example, the link

http://server-alias1.example.com/Create.html?Queue=12&Subject=Computer Setup Request&Content=%0APrimary User%3A %0AIs this a Computer? (Mac or PC)%3A

creates a ticket template with the subject "Computer Setup Request" already filled in and with a short questionnaire in the body filled in, eg "Primary User", "Is this a Computer? (Mac or PC):", etc. 

The default RT configuration gives a cross-site request forgery restriction warning. I understand that the RT config variables ReferrerWhitelist, RestrictLoginReferrer, RestrictReferrer handle cross-site request forgery restrictions. 

However, I am confused and frustrated by the limitations/restrictions of each of the "Referrer" parameters as I would like to not have the forgery warning appear for our users (who are already signed in through CAS). For example, on my system,

if RestrictReferrer is false (ie Set($RestrictReferrer, '0') - the link above works (ie no cross-site request forgery warning) for Priviliged users only, but will not work (cross-site request forgery message appears for users) for unprivileged users all of ours who have login access via SelfServe. It send unpriviliged users to SelfServe instead.

ReferrerWhitelist [(Set(@ReferrerWhitelist, qw(*.example.com:443  *.example.com:80));] and Set RestrictLoginReferrer=0 do not seem to work at all and all users, priviliged and unpriviliged and all users get the cross-site request forgery message. 

-- 

                                 Regards,

                                 Duncan.

-----------------------------------------------------------------------
Duncan Napier
duncan_napier at sfu.ca
http://www.sfu.ca/~dgnapier/
IT & Instrumentation Consultant
Dept of Molecular Biology and Biochemistry
Simon Fraser University

"It takes ten years to become good at being a kid. Then another ten years
to become good at not being a kid" - Larry Wall.

More information about the rt-users mailing list