I have a Django site that works well on a server using HTTPS protocol, I can use it with no problem with all kind of browsers.
The thing is that every time I try to use a text browser, I get a
Forbidden (403)
CSRF verification failed. Request aborted.
You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent.
This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.
If you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS
connections, or for 'same-origin' requests.
Help
Reason given for failure:
Referer checking failed - no Referer.
I have tried links, lynx, even w3m and eww on emacs, to no avail.
When I use a HTTP site (like when I'm using the manage.py runserver) I can use the site on text browsers with no problem, but my production server needs a HTTPS protocol and that's when I get this error.
[ EDIT: just for testing purposes, I deployed an HTTP server for my django site on the production server. It works well on text browsers... ]
[ EDIT: given the message the server throws, why are Referer headers not been given? ]
Lynx is likely configured to not send the Referer header. Check /etc/lynx.cfg for "REFERER".
There are entries like NO_REFERER_HEADER. Make sure that's set to false. If that's not it, check around in that config for any other disabled referer headers.
Also related, the CSRF and Referer header debate: https://code.djangoproject.com/ticket/16870
Are you setting SECURE_PROXY_SSL_HEADER, SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE in your settings?
https://docs.djangoproject.com/en/1.7/topics/security/#ssl-https
Related
I'd like my Rails 5 API-only app, for now running on http://localhost:3000, to only accept requests from my NodeJS front-end app, for now running on http://localhost:8888.
So I configured /config/initializers/cors.rb like this:
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins "http://localhost:8888"
resource "*",
headers: :any,
methods: [:get, :post, :put, :patch, :delete, :options, :head]
end
end
And I wrote this test:
#/spec/request/cors_request_spec.rb
RSpec.feature "CORS protection", type: :request do
it "should accept a request from a whitelisted domain" do
get "/api/v1/bodies.json", nil, "HTTP_ORIGIN": "http://localhost:8888"
expect(response.status).to eql(200)
end
it "should reject a request from a non-whitelisted domain" do
get "/api/v1/bodies.json", nil, "HTTP_ORIGIN": "https://foreign.domain"
expect(response.status).to eql(406)
end
end
The first test is passing as expected. But the second is failing with a response code of 200. Why?
(I'm not wed to a 406 response code by the way; just one that indicates the request will not be fulfilled.)
CORS configuration won’t prevent the server from accepting requests based on the value of the Origin request header. You can’t do that just through CORS configuration.
When you configure CORS support on a server, all that the server does differently is just to send the Access-Control-Allow-Origin response header and other CORS headers.
Enforcement of CORS restrictions is done only by browsers. It’s not enforced by servers.
CORS works like is: regardless of any CORS config you make on the server side, the server continues accepting requests from all clients and origins it otherwise would; and so all clients from all origins continue getting responses from the server just as they otherwise would.
So even when you see an error in browser devtools that a cross-origin request from your frontend JavaScript code failed, you’ll still be able to see the response in browser devtools.
But just because your browser can see the response doesn’t mean the browser will expose it to your frontend code. Browsers only expose responses for cross-origin requests to frontend code running at a particular origin if the server the request went to opts-in to allowing the request by responding with an Access-Control-Allow-Origin header which OKs that origin.
So for any requests with an Origin request header matching https://foreign.domain, the configuration snippet in the question should cause browsers to emit a message on the client side saying http://localhost:3000/api/v1/bodies.json can’t be loaded because there’s no Access-Control-Allow-Origin response header in the response (because your configuration causes the server to only send that header in responses to your whitelisted origins).
But that’s all you can do through CORS. You can’t prevent the server side from accepting and responding to requests from particular origins just by doing any CORS configuration on the server side. If you want to do that, you need to do it using something other than just CORS.
Quick overview:
I open my website at domain1. Inside a page, I load an iframe with url http://domain2/...
I keep on getting this warning on chrome and it has affected my website:
A cookie associated with a cross-site resource at http://domain2 was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
I never had to set cookies before so I'm unaware where the cookie should be set from. I've already tried setting proxy_cookie_path in my domain2 nginx config but it doesn't seem to work:
location / {
proxy_cookie_path / "/; SameSite=None; Secure";
}
I also tried adding Set-Cookie header which also doesn't seem to work:
location / {
...
add_header 'Set-Cookie' 'SameSite=None; Secure';
}
When I tried the second solution, it seems the the header was received from the response on chrome, but chrome gives the following warning:
Note that domain2 is our domain as well, and it has a python backend using Flask framework. So should I add the cookies from the python code or javascript frontend?
This is getting really frustrating.
Cross-Site Resource Sharing - CORS is a known issue when a request is sent through the same domain. You may try using already existing flask cors package to allow the same origin requests.
In addition, this question and answer seems relevant to yours.
I used this proxy_cookie_flags ~ secure samesite=none; in the blocks server { } and location { } and it worked.
i try to use the Quickstart sign-in of Microsoft using python.
Currently i have this in redirects URL: redirect url
and in my config file i have: Config file
i have not make any change in the others files but when i try to test i receive this message:
Error
how can i solve this issue?
Thanks!
This error usually occurs when the real redirect_uri doesn't match the reply url in Azure portal. You can track the auth request url to find the real redirect_uri. The request url is something like
https://login.microsoftonline.com/{tenant}/oauth2/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%3A12345 &response_mode=query &resource=https%3A%2F%2Fservice.contoso.com%2F &state=12345
After clicking sign in button and before inputting the account, you will find the request url.
The reply URL in the portal needs to match exactly what is configured in the application code. For example, https and http register differently, and a mismatch would cause this error. The application ID/Client ID and tenant IDs also need to match in both places.You need to change the port from 5000 to the effective one.
I also had this problem. I was using the link from flask to go to http://127.0.0.1:5000/ instead of getting http://localhost:5000/ in the browser. Although both these urls point to the site, only the the localhost url is recognized by the app registration.
I'm using Typeform to send a POST request to a Webhook on my server.
I'm looking at the sample request they give and it doesn't look like they are including a Referer header, so my Django site is blocking their request.
Is there a way to whitelist their domain so that they can keep sending this without the referer?
I know I could use csrf_exempt but that would not be ideal.
I have the domain both in CSRF_TRUSTED_ORIGINS and CORS_ORIGIN_WHITELIST.
I want to remove the http referer from the header while redirecting to other page. I am using python and django in the application. Is there a way to remove or reset the referer info.
Referer header is sent by the browser, so you can't control it from the server side.