<HTML xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><HEAD><meta http-equiv=Content-Type content="text/html; charset=utf-8" /><meta name=Generator content="Microsoft Word 12 (filtered medium)" /><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.kwd
{mso-style-name:kwd;}
span.pln
{mso-style-name:pln;}
span.pun
{mso-style-name:pun;}
span.str
{mso-style-name:str;}
span.lit
{mso-style-name:lit;}
span.com
{mso-style-name:com;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-AU link=blue vlink=purple>
<P><BR /><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>Hi Paul,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>Firstly, I'll just point out this isn't my fix, it's stolen from the top answer of http://stackoverflow.com/questions/4762254/javascript-window-location-does-not-set-referer-in-the-request-header, but it is elegant and works, so there you go. Define the function navigateToUrl(url), either in an external file that you include in each page (I forget what the name of the configuration option is, but you'll find it if you grep etc/RT_Config.pm for javascript) or inline in all the pages you might use it (I would suggest the former of these).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>function navigateToUrl(url) {<br /> var f = document.createElement("FORM");<br /> f.action = url;<br /><br /> var indexQM = url.indexOf("?");<br /> if (indexQM>=0) {<br /> // the URL has parameters => convert them to hidden form inputs<br /> var params = url.substring(indexQM+1).split("&");<br /> for (var i=0; i<params.length; i++) {<br /> var keyValuePair = params[i].split("=");<br /> var input = document.createElement("INPUT");<br /> input.type="hidden";<br /> input.name = keyValuePair[0];<br /> input.value = keyValuePair[1];<br /> f.appendChild(input);<br /> }<br /> }<br /><br /> document.body.appendChild(f);<br /> f.submit();<br />}<br /><br />navigateToUrl("http://foo.com/bar");<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>Note that as far as I can see this will not work if there is more than one parameter you need to pass, you may need to do a little more funky splitting of the params variable. and loop through creating inputs.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>As for why, I am tempted to say "Because Microsoft, that's why!", but I dunno. I suppose an argument could be made that when the window.location property is changed it is less a referral than a redirect, and as such there should be no referrer. Considering all the other browsers handle this fine and IE9 also does, it might not be a very convincing argument.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>As I write this I have been trying (in vain) to Google up any word from MS on the problem. Lots of forums suggest this behaviour is "by design", but I am not sure where MS refers to this design. About all I can find so far is that you might fix this problem by "Optimizing Internet Explorer" (http://answers.microsoft.com/en-us/ie/forum/ie8-windows_7/ie-8-fails-to-pass-the-http-referer-on-many/6f217b05-e9b8-409a-9447-78f0741d0f55) :p.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p></div>
<BR />
<TABLE style="WIDTH: 473px; HEIGHT: 165px" border=0 cellSpacing=0 cellPadding=0 width=473>
<TBODY>
<TR>
<TD style="HEIGHT: 50px" colSpan=3><SPAN style="LINE-HEIGHT: 16px; FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 12px"><span style='font-family:Arial; font-size:11pt; font-weight: bold; '>Chris</span> <span style='font-family:Arial; font-size:11pt; font-weight: bold; '>O'Kelly</span><BR /><SPAN style="FONT-SIZE: 14px"><B><span style='font-family:Arial; font-size:9pt; font-weight: normal; '>Web Administrator</span></B></SPAN><BR /></SPAN></TD></TR>
<TR>
<TD style="WIDTH: 178px" height=112 vAlign=top width=199 align=left><SPAN style="LINE-HEIGHT: 16px; FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 12px"><table class=7f172dc6-f7d4-483a-a4cd-5841754651fbTable><tr><td><span style='font-family:Arial; font-size:x-small; color: #000000; font-weight: bold; '>Minecorp Australia</span></td></tr><tr><td><span style='font-family:arial; font-size:9pt; '>37 Murdoch Circuit</span></td></tr><tr><td><span style='font-family:arial; font-size:9pt; '>Acacia Ridge QLD 4110</span></td></tr><tr><td><span style='font-family:Arial; font-size:9pt; color: #0070C0; '><span style='font-family:arial; font-size:9pt; color: #0070C0; font-weight: bold; '><span style='font-family:arial; font-size:9pt; color: #0070C0; font-weight: bold; '><a href='http://www.minecorp.com.au' title='Minecorp Vehicle Solutions' target=''><span style='font-family:arial; font-size:9pt; color: #0070C0; font-weight: bold; '>minecorp.com.au</span></a></span></span></span></td></tr></table><BR /></SPAN></TD>
<TD style="WIDTH: 290px" height=112 vAlign=top width=250 align=left><SPAN style="LINE-HEIGHT: 16px; FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 12px"><B><table class=7f172dc6-f7d4-483a-a4cd-5841754651fbTable><tr><td width=600px><span style='font-family:Arial; font-size:9pt; font-weight: bold; '>P: 07 3723 1000</span></td></tr><tr><td width=600px><span style='font-family:Arial; font-size:9pt; font-weight: bold; '>M: 0450 586 190</span></td></tr><tr><td width=600px><span style='font-family:arial; font-size:9pt; font-weight: bold; '>E: <a href='mailto:Chris.okelly@minecorp.com.au' title='Click to send email to Chris O'Kelly' target=''>Chris.okelly@minecorp.com.au</a></span></td></tr><tr><td width=600px><span style='font-family:Arial; font-size:9pt; color: #4F81BD; font-weight: bold; '>S: <a href='http://skype.com' title='' target=''>chris.okelly.mvs</a></span></td></tr></table><BR /></B></SPAN></TD></TR></TBODY></TABLE> <IMG id=IMG1 border=0 src="http://oi46.tinypic.com/mw8nbd.jpg" width=430 height=132 /><BR /><BR /><div class=WordSection1><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] <b>On Behalf Of </b>Paul Tomblin<br /><b>Sent:</b> Tuesday, 18 September 2012 11:37 AM<br /><b>To:</b> rt-users@lists.bestpractical.com<br /><b>Subject:</b> [rt-users] Cross site request forgery<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I have three custom pages, call them "d.html", "a.html" and "c.html". "d.html" is the dashboard for the plugin, and from that one to either of the others and back to "d.html". I transition between them using 'window.location = "d.html";' which works fine for all of the transitions, except one. When I'm on d.html and I want to go to a.html with an argument, I do 'window.location = "a.html?upid=123";'. That one works just fine on Chrome and Firefox (on Linux and Mac) and IE9 (On Windows 7), but on IE8 I get the dreaded "Cross site request forgery". Clicking the "click here to resume your request" of course gets me to the page as requested.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In the log, the message is <o:p></o:p></p></div><div><p class=MsoNormal>Possible CSRF: your browser did not supply a Referrer header (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:1369<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Looking at the source code, it appears that the problem is that IsCompCSRFWhitelisted is complaining about the fact that there is an argument. But why isn't IE8 sending a referrer header when the other browsers do?<o:p></o:p></p></div><div><p class=MsoNormal><br clear=all /><o:p></o:p></p><div><p class=MsoNormal>This is RT 4.0.6, running in standalone development mode.<o:p></o:p></p></div></div></div>
</P></BODY></HTML>