Checking for Origin instead of (or as well as) Referer

[dellow]

I've had a long-standing issue with Sanctum that I've finally solved today. Every time I used it I kept getting authorization errors despite following everything in the Docs and reading countless Stack Overflow posts.

Most solutions always revolve around SANCTUM_STATEFUL_DOMAINS not being configured correctly. I knew mine were ok.

I've noticed in the past that using a different browser from my default (Firefox) actually works. I've put this down to a weird Firefox bug that would get fixed in the next update. But it never did.

I finally traced the issue to EnsureFrontendRequestsAreStateful::fromFrontend() which checks the referer against the stateful domains. It turns out Firefox was not sending the referer header. Sure enough in the settings the network.http.sendRefererHeader option was set to 0 (off).

Turns out that a VPN Firefox extension (Private Internet Access) decided to turn this off for me as a security measure. It also does the same in the Chrome version.

So it turns out that anyone using these extensions (or any that does the same thing) will not be able to use a website that utilizes Sanctum.

I have noticed the Origin header has always been present in the request. Is it possible to also check this header as a backup in case Referer does not exist? Or are there issues with the Origin header that I'm not aware of?

[driesvints]

@dellow we've rejected replacing the Referer header with the Origin header in the past because it'd be a breaking change. But we can allow it to be a fallback header instead. Can you PR that?

[dellow]

@driesvints Absolutely. I'll get on it.

Thanks.