[rt-users] Cross site request forgery

Paul Tomblin ptomblin at xcski.com
Mon Sep 17 21:37:00 EDT 2012


I have three custom pages, call them "d.html", "a.html" and "c.html".
 "d.html" is the dashboard for the plugin, and from that one to either of
the others and back to "d.html".  I transition between them using
'window.location = "d.html";' which works fine for all of the transitions,
except one.  When I'm on d.html and I want to go to a.html with an
argument, I do 'window.location = "a.html?upid=123";'.  That one works just
fine on Chrome and Firefox (on Linux and Mac) and IE9 (On Windows 7), but
on IE8 I get the dreaded "Cross site request forgery".  Clicking the "click
here to resume your request" of course gets me to the page as requested.

In the log, the message is
Possible CSRF: your browser did not supply a Referrer header
(/opt/rt4/sbin/../lib/RT/Interface/Web.pm:1369

Looking at the source code, it appears that the problem is that
IsCompCSRFWhitelisted is complaining about the fact that there is an
argument.  But why isn't IE8 sending a referrer header when the other
browsers do?

This is RT 4.0.6, running in standalone development mode.

-- 
http://www.linkedin.com/in/paultomblin
http://careers.stackoverflow.com/ptomblin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120917/21ffa12d/attachment.htm>


More information about the rt-users mailing list