Resolve HTTPS CSRF validation failure due to Referrer-Policy on source interface #3351
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
emkll
previously approved these changes
May 3, 2018
There was a problem hiding this comment.
Thanks @redshiftzero for this change.
I've tested this in a prod vm with a self-signed certificate.
With this patch, I can confirm the submission now properly goes through and I can fully interact with the source interface over https.
I also agree that this change should not affect the privacy properties of the application.
👍 once rebased and passing CI
The addition of Referrer-Policy "no-referrer" meant that the CSRF tokens on the source interface did not validate due to the use of WTF_CSRF_SSL_STRICT=True [0]. Setting Referrer-Policy to "same-origin" resolves [1]. Note that Tor Browser does not send Referers from onion services [2], so there are no negative privacy implications to this change. [0] https://flask-wtf.readthedocs.io/en/stable/config.html [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy [2] https://trac.torproject.org/projects/tor/ticket/9623
redshiftzero
force-pushed
the
resolve-https-referer
branch
from
851b5d4 to
4fc204a
Compare
Codecov Report
@@ Coverage Diff @@
## develop #3351 +/- ##
========================================
Coverage 85.81% 85.81%
========================================
Files 34 34
Lines 2157 2157
Branches 238 238
========================================
Hits 1851 1851
Misses 250 250
Partials 56 56Continue to review full report at Codecov.
|
emkll
approved these changes
May 3, 2018
This was referenced May 3, 2018
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review
Description of Changes
Fixes #3333.
Changes proposed in this pull request:
The addition of
Referrer-Policy "no-referrer"meant that the CSRF tokens on the source interface did not validate due to the use of WTF_CSRF_SSL_STRICT=True. SettingReferrer-Policyto"same-origin"resolves. Note that Tor Browser does not send Referers from onion services, so there are no negative privacy implications to this change.Testing
Deployment
Some sites have applied this change already in production. Their Apache configs will not automatically update to the latest, but the next time they re-run
securedrop-admin installthis change will mean that they do not regress to the faulty behavior produced by the use of"no-referrer".Checklist
If you made changes to the system configuration: