Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Meta referrer="no-referrer" causes all posts to fail in Chrome #28299
Steps to reproduce
Add this to your
Create a form with method='post' that points to a route on the same origin, go to the form in Google Chrome and click submit.
I'm reporting this as an issue instead of a PR because I'm not quite sure of the expected behavior.
The request is failing because Chrome sets the Origin header to the string "null"
My instinct is that the request should succeed, since the
However, I'm not an expert in CSRF and recognize the proper solution might be not to utilize this meta tag in the
The request fails during the
Rails version: 5.0.2
added a commit
Mar 6, 2017
referenced this issue
Mar 6, 2017
It looks like
That said, if I must set to
Code looks like it was introduced here:
Don't know for sure but some scenarios could be posting from HTTP to HTTPS and legacy browsers.
I'm just loathe to special case values because the current version of a particular browser has a bug or behaves inconsistently - those kind of things tend to hang around in a framework for years (see #18255).
This has turned into a rabbit hole for me, and I think I'm going to set
It turns out the Chrome has not implemented
There is a lot of inconsistency across browsers in their current state on macOS:
Chrome POST to same origin:
Firefox POST to same origin:
Safari POST to same origin:
I see an argument that we don't want to allow "null" since setting "no-referrer" would then represent a reasonable approach for attackers to undermine this check for cross-origin requests.
However, I also worry that working with Origin is like trying to prevent CSRF with the Referer header all over again. Tokens still feel like the gold standard, and with those still in use, I'm not sure which attack vector the
This was referenced
Oct 9, 2017
So after doing further digging, this is not a bug. It could be considered a bug in Firefox that it isn't sending this value, (see https://bugzilla.mozilla.org/show_bug.cgi?id=446344), but basically the reason this is happening is due to a rather vague line in the
It's likely that most people setting the
@sgrif I think there should be more discussion on this issue. As the post you provided, there are two conflicting entries in the specs.
As it stands right now, the two specs have a conflict. So the solution is that I cannot set that header? Browsers are correctly adhering to spec by setting it to "null" (which is the newer spec from what I am seeing).
The second spec you linked is a proposal from Stanford. Did this make it into an actual specification? If so, can you link it? Even then, we should adopt to the newer spec and simply whitelist the "null" value. Or at the very least, continue the debate. As it stands, Rails simply does not work with a valid header value.
I read the propsal and understand why the Origin header exists. But the proposal says null values meaning true null, not the string null. It says to prevent non-support browsers from being accepted, which won't happen in this string approach.
It will, which is why on the corresponding PR I asked that we instead raise an error message that specifically explains the issue to the person receiving the error. I suspect the vast majority of people using