3
Recently, I found that I was failing to log into certain websites using Firefox. Not sure when exactly it started happening. Right now, I'm running Firefox 14.0.1. Logins work fine on other browsers.
The most recent time gave me the most descriptive error.
Forbidden (403)
CSRF verification failed. Request aborted.
You are seeing this message because this HTTPS site requires a 'Referer header'
to be sent by your Web browser, but none was sent. This header is required for
security reasons, to ensure that your browser is not being hijacked by third
parties.
If you have configured your browser to disable 'Referer' headers, please
re-enable them, at least for this site, or for HTTPS connections, or for
'same-origin' requests.
This led me to finding an answer to my problem in another question. In about:config, "network.http.sendRefererHeader" was set to "0". I changed the setting to "1", and was then able to log in successfully. I don't remember setting this myself, so I wonder if a default setting was changed during an update.
My question, is there a reason why referer headers should be disabled? Is it a security thing?
1
I think you may be right on the "security-conscious addon". I'm using the Web Developer Toolbar. There is an option to "disable referers" that seems to toggle "network.http.sendRefererHeader". The gotcha is that it does not indicate whether it's enabled or not. Thanks for the tip on what to look for.
– dangowans – 2012-08-14T18:16:40.167