[selfhosting][proxy] Cross-site POST form submissions are forbidden?

[mlawren]

I'm attempting to run PostOwl locally, proxied behind lighttpd. The initial page loads, but submitting the authentication form generates a "Cross-site POST form submissions are forbidden" error.

I believe this message comes from Svelte, and indeed I can make it go away when I set csrf.checkOrigin = false in svelte.config.js.

I don't know the intention of the ORIGIN value in the .env file, or if it is relevant, but it is set to the external (public) url.

This is possibly the same issue as described here. Unfortunately it appears to not be a straightforward fix.

[mlawren]

Interestingly, I get the same error at https://postowldemo.fly.dev/login ... already reproducible! :-)

[keybits]

Hi, thanks for reporting this.

The error you're getting on https://postowldemo.fly.dev is my fault - I should have updated the docs link to the demo. I recently set it to run from https://demo.postowl.website where login works correctly (with a 500 error for an incorrect password). Sorry if that added to any confusion.

You're right that the value of ORIGIN is what's causing the above and the issue you're seeing locally behind lighttpd. There's more on why this is set in the Svelte docs: https://kit.svelte.dev/docs/adapter-node#environment-variables-origin-protocolheader-hostheader-and-port-header

Hopefully those docs will help set an appropriate value for you setup? Let me know if not and I'll take a look to see if I can reproduce.

[mlawren]

I've tried as many combinations of ORIGIN, HOST_HEADER and PROTOCOL_HEADER as I can think of, to no avail. I can see that lighttpd is passing X-Forwarded-Proto and X-Forwarded-Host correctly. So I remain a bit stumped. I guess I'll need to learn about debugging Svelte :-(