Closed Bug 1908265 Opened 4 months ago Closed 4 months ago

cannot log in unless HTTP Referer request header is enabled

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: firefoxbugs, Assigned: dkl)

Details

Attachments

(1 file)

[mozilla-bteam/bmo] Bug 1908265 - cannot log in unless HTTP Referer request header is enabled (#2278)
46 bytes, text/x-github-pull-request
Details | Review

Steps to reproduce:

In about:config set network.http.sendRefererHeader to 0.
From any page on bugzilla.mozilla.org, attempt to log in.

Actual results:

Can't log in. First it tells you "Untrusted Authentication Request": " You tried to log in using the [email address] account, but Bugzilla is unable to trust your request. Make sure your web browser accepts cookies and that you haven't been redirected here from an external web site. Click here if you really want to log in."

You can click the link and try to log in again ( https://bugzilla.mozilla.org/index.cgi?GoAheadAndLogIn=1 ), but it just takes you again to the "Untrusted Authentication Request" page.

Expected results:

It's beyond me what the developers thought they were gaining with checking a Referer header anyway. Most websites understand that has nothing to do with security. In the past, earlier this year, you could actually log in by doing it the second time on the GoAheadAndLogin page (which should technically be GoAheadAndLogIn, see Bug 103439 - pet peeve). But now you can't.

My browsing is almost always done with Referer header and Origin header turned off, since these are obvious privacy leaks. And since there's no per-site preference for these, I have to use a different browser profile entirely to access bugzilla.mozilla.org.

Perhaps this is a Bugzilla bug rather than a bugzilla.mozilla.org bug. Someone with more knowledge of the internals, please triage this to the right product.

(In reply to firefoxbugs from comment #0)

Perhaps this is a Bugzilla bug rather than a bugzilla.mozilla.org bug. Someone with more knowledge of the internals, please triage this to the right product.

BMO doesn't follow changes in the Bugzilla product (the relationship is actually the reverse), so this is the correct product.

It's beyond me what the developers thought they were gaining with checking a Referer header anyway

Looking at bug 713926 the referal header check was put in place in support of users who don't enable cookies. For some context this is from a time when there also was a desire to support users with javascript disabled. We have different expectations today.

In other words the current behaviour is not the intended outcome.

I propose the following:

  • ensure cookie based CGI auth works without a referal header
  • remove the refreal header fallback
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → dkl
Status: NEW → ASSIGNED

Merged
https://github.com/mozilla-bteam/bmo/commit/0a5283d44172bafd1cc206f93d9c3c5bc9743edf

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: