Bad HTTP_REFERER. Cannot post using Firefox.

lefsha · 2016-07-22 11:35:24

As suggested by Admin I'm opening a new thread for the same problem discussed previously here:
https://bbs.archlinux.org/viewtopic.php?id=1642711

Frankly speaking I'm not sure why creating a new thread is better idea, than to keep posting into the old thread as long as problem is still
the same and still existing. What should happen after 2,3 or even 10 years of doing nothing is not clear to me either. Have never seen before,
that problems are disappearing just due to the waiting. Well, some say - no man - no problem. Hope it's not the case here.
As a user I feel more convenient to look for a solution in one thread instead of searching for it everywhere.

P.S. I was spending >5 min to find the way how to open the new thread. That has never happened to me before also not while using Gentoo forum previously.
Usability is not something very important here. In most such cases I've never visit the same site again.

The problem I have is not being able to make posting with Firefox, where several plugins are installed. One of them is Privacy Settings.
And I don't wish to turn it off just because of this particular forum. Because of some very strange reason everywhere else things are working just fine
for me. I can read emails by using web interface, where the privacy is much more important, than here. Even internet banking has no problem with it.

While reading linked thread (see above) I was trying to adjust config parameter: network.http.sendRefererHeader=2 as recommended.
It didn't help.

For now my solution was to install the new browser (Palemoon) just for this website. It sounds ridicules to me.
Just checked right now forums.gentoo.org again. Everything works perfect with Firefox browser there.

Well I can't ask you to make a change, but are we sure, that this level of being paranoid is required?

Last edited by lefsha (2016-07-22 11:38:20)

mrunion · 2016-07-22 12:37:14

In my opinion....

lefsha wrote:

The problem I have is not being able to make posting with Firefox, where several plugins are installed. One of them is Privacy Settings.
And I don't wish to turn it off.....privacy is much more important

Privacy is very important to you. You have some level of being paranoid about it.

lefsha wrote:

.....but are we sure, that this level of being paranoid is required?

So does Arch Linux.

So why ask us to reduce our security so you can keep yours as you want it? Makes no logical sense. That's my opinion anyway. It sounds like you are saying how secure-minded you are, then deriding the Arch Forums for having the same values as you extolled.

R00KIE · 2016-07-22 14:18:36

lefsha wrote:

As suggested by Admin I'm opening a new thread for the same problem discussed previously here:
https://bbs.archlinux.org/viewtopic.php?id=1642711

Frankly speaking I'm not sure why creating a new thread is better idea, than to keep posting into the old thread as long as problem is still
the same and still existing. What should happen after 2,3 or even 10 years of doing nothing is not clear to me either. Have never seen before,
that problems are disappearing just due to the waiting. Well, some say - no man - no problem. Hope it's not the case here.
As a user I feel more convenient to look for a solution in one thread instead of searching for it everywhere.
P.S. I was spending >5 min to find the way how to open the new thread. That has never happened to me before also not while using Gentoo forum previously.
Usability is not something very important here. In most such cases I've never visit the same site again.

Ranting is going to get you nowhere, if you want to rant get a blog.

lefsha wrote:

The problem I have is not being able to make posting with Firefox, where several plugins are installed. One of them is Privacy Settings.
And I don't wish to turn it off just because of this particular forum. Because of some very strange reason everywhere else things are working just fine
for me. I can read emails by using web interface, where the privacy is much more important, than here. Even internet banking has no problem with it.
While reading linked thread (see above) I was trying to adjust config parameter: network.http.sendRefererHeader=2 as recommended.
It didn't help.
For now my solution was to install the new browser (Palemoon) just for this website. It sounds ridicules to me.
Just checked right now forums.gentoo.org again. Everything works perfect with Firefox browser there.
Well I can't ask you to make a change, but are we sure, that this level of being paranoid is required?

If you disable things websites expect or need to work things are going to break, as clearly stated here.

dakota · 2016-07-22 15:05:30

In my opinion...

The most secure and private computer is one that is never connected to the Internet. Beyond that, there is always a compromise between security/privacy and usability.

If privacy is important to you, it is your responsibility to understand the various privacy settings and adjust them accordingly. Such action will break some sites, but not others. The choice is yours.

I have very strict privacy settings enabled in Firefox. As a result, most web sites are not completely usable to me. I accept that. When I find a site that I can't use -- but want to -- I relax the security settings, one at a time, until I can use the site... or until I decide it is not worth it. By understanding what security settings I am changing, I can adjust the privacy vs usability relationship accordingly.

To come here and say: "xyz security setting is preventing me from accessing this site. Please help me understand why the Arch Linux bulletin board requires it" is rational. To come here and rant without providing specific information is not, and is frowned upon.

lefsha wrote:

Frankly speaking I'm not sure why creating a new thread is better idea, than to keep posting into the old thread as long as problem is still
the same and still existing.

Your previous post contained no useful information. It was noise. When you were called out, you became defensive and insulted the moderator. Such posts usually don't stay around very long, and if you don't wish this post to disappear also, you might wish to change your tone.

lefsha wrote:

For now my solution was to install the new browser (Palemoon) just for this website.

If your new browser is working... it is probably leaking privacy information that you were blocking with Firefox. You do not need to install a new browser; you need to understand your security and privacy settings and adjust them accordingly.

It should be very easy to figure out which setting is blocking you. Remove all privacy settings for this website and then enable them one at a time until the site breaks.

Once you know which setting is blocking you, we can discuss the reason the bulletin board requires it. (It is quite possible that the mystery setting is used to block spam and make the site more usable!)

Good luck,

loqs · 2016-07-22 15:29:46

In this case how would the removal of the Referer header provide any additional privacy?
The value supplied by the refer header would be the topic page which the browser retrieved from the same server.
Edit: removed extraneous 'it' from first sentence.

Last edited by loqs (2016-07-22 15:30:34)

lefsha · 2016-07-22 15:46:14

I guess it's easy to distinguish privacy settings for browser used in public AND private information exchange
and purely public web forum, where no private information is available. Or do I miss something?

mrunion wrote:

In my opinion....
lefsha wrote:
The problem I have is not being able to make posting with Firefox, where several plugins are installed. One of them is Privacy Settings.
And I don't wish to turn it off.....privacy is much more important
Privacy is very important to you. You have some level of being paranoid about it.
lefsha wrote:
.....but are we sure, that this level of being paranoid is required?
So does Arch Linux.
So why ask us to reduce our security so you can keep yours as you want it? Makes no logical sense. That's my opinion anyway. It sounds like you are saying how secure-minded you are, then deriding the Arch Forums for having the same values as you extolled.

lefsha · 2016-07-22 15:52:17

R00KIE wrote:

If you disable things websites expect or need to work things are going to break, as clearly stated here.

Was the string network.http.sendRefererHeader=2 missing in your browser?

dakota · 2016-07-22 15:56:15

lefsha wrote:

I guess it's easy to distinguish privacy settings for browser used in public AND private information exchange
and purely public web forum, where no private information is available. Or do I miss something?

What 'private' information do you think you are providing to this 'purely public web forum'?

You adjusted the [network.http.sendRefererHeader=2] parameter, but that did not help, so that wasn't the problem.

Until you discover the exact privacy setting that is interfering with your posting, you don't know what information is being provided and you are simply speculating. Do your research!

lefsha · 2016-07-22 16:23:25

dakota wrote:

In my opinion...
The most secure and private computer is one that is never connected to the Internet. Beyond that, there is always a compromise between security/privacy and usability.
If privacy is important to you, it is your responsibility to understand the various privacy settings and adjust them accordingly. Such action will break some sites, but not others. The choice is yours.

Thanks for the answer. I do really feel being misunderstood here. There was no offending in my message. Neither I wish to provoke the flame.

In many products or services there are such things like "user friendliness" and user experience.
Mainly I was just reporting of mine. Could I skip it - of course. Could pretend everything is alright - of course.
The question is - for what purpose? - I see none.

Why people tend to ignore the helping action in that and get into defending position saying - we are OK - the problems are yours..?

First I do consider this as _public_ web forum, where privacy is not really important looking from server side.
Anything is public anyway.

I gave an example of particular and similar web forum, where things are working w/o problem.
I did mention mail and banking services, where everything is just fine as well.

I was even trying to change the settings but without success.

Yes, I can do step by step turn off and turn on every single option to check whether it has any influence.
Question 1. How many hours I would spend for that?
Question 2. What probability for ordinary web user to spend his time for the website which is not working for him in the web where another billion of web sites are available?
Question 3. What percentage of users will report about their experience with a particular web site?

OK. Sorry to every one who does feel offended. Won't repeat such messages here anymore. Bye.

Last edited by lefsha (2016-07-22 16:26:22)

R00KIE · 2016-07-22 16:27:29

lefsha wrote:

R00KIE wrote:
If you disable things websites expect or need to work things are going to break, as clearly stated here.
Was the string network.http.sendRefererHeader=2 missing in your browser?

No it isn't, and network.http.sendRefererHeader=2 is the default, it's what my browser is using and what is explained in the link I pointed before. For you to try to set it back to 2 seems to imply you have changed it in the past and are now trying to set it back to the default.

loqs · 2016-07-22 16:32:29

In Firefox ctrl + alt + Q to access the developer network panel then make attempt to make a post and select that POST request from the requests in the network panel, check the request headers on the sub panel on the right check if there is an entry for Referer there.

Kern · 2016-07-22 16:40:22

Can i ask the OP, is this an Arch related problem or are you just complaining about the forum set-up not being to your liking?

Acknowledging R00KIE's link : Browser working as intended: you do sh*t, other sh*t happen.

and paraphrased from another site; may give you a better idea of whats happened and why.

--
Bad Referrer - Access Denied
Your browser failed to inform <site> from which page you submitted a form.
One of three reasons the HTTP_REFERER was not sent along with your form request:

Your browser's ability to send HTTP_REFERERs was disabled. Therefore re-enable this standard feature of your browser.
Your webpage does not originate from our webservers. Therefore connect directly to our site http://www.site.com/
An error occurred in the transmission of your request. Please resubmit your form.

We require this HTTP_REFERER both for site security and form processing reasons. We regret any inconvenience caused and hope for your understanding.
--

Maybe use browser plug-ins that allow you to manually change trust/script/privacy settings on a page by page or site by site basis?

Wanting a forum/website to change its settings to accommodate your browser setup is like asking an airport to install a lake because you prefer flying boats.

TGN?

K

dakota · 2016-07-22 20:14:23

lefsha wrote:

dakota wrote:
In my opinion...
The most secure and private computer is one that is never connected to the Internet. Beyond that, there is always a compromise between security/privacy and usability.
If privacy is important to you, it is your responsibility to understand the various privacy settings and adjust them accordingly. Such action will break some sites, but not others. The choice is yours.
Yes, I can do step by step turn off and turn on every single option to check whether it has any influence.
Question 1. How many hours I would spend for that?

I spent about 15 minutes.

I installed the 'Privacy Settings' add-on to Firefox and tested various 'canned' configuration options by posting on this forum.

Configuration Setting               Success or Failure
----------------------               -------------------
Default Settings                          Success
Full Privacy                              Success
Privacy & Security                        Success
Privacy (compatible)                      Success
Privacy (compatible) & Security           Success
Advanced Settings                         Failed 
... when I set network.http.sendRefererHeader to 0, but worked with the recommended software setting of 2

Cheers,

Last edited by dakota (2016-07-23 23:45:27)

mpan · 2016-07-22 20:55:46

I’ll stand in defence of lefsha in here¹. Web applications can expect from client only the things client is required to do. Sending² Referer header isn’t one of them, and actually in HTML5 and upcoming related drafts there are features that may explicitly ask client to not send it³. If an application receives a valid request and fails to handle it, that’s app’s bug, not client’s fault. Also don’t point at site security that much, considering that Referer header isn’t the best option for preventing CSRF.

@lefsha
Me standing in your defence doesn’t mean you did right.

First of all, you’re reporting the problem to the wrong people. ArchLinux Forum is based on FluxBB and you should raise the issue there. Secondly, you’re probably getting security and privacy wrong. Installing random add-ons with ”privacy” in their description and enabling all their features will not help you. Just think about the simple fact: you have became an easily distinguishable user among over 50 thousands of members of this forum. It scales well to whole internet, making you — with your settings — one of the most easily traceable persons on Earth.

Consider reporting the problem to add-on’s authors too. Blocking Referer when going to the same website is pointless.
____
¹ Note: I have no idea what was in the original thread.
² I assume that the header hasn’t been sent. If it’s being spoofed than, indeed, it’s OP’s fault.
³ Not applicable to this particular case, as it would be the forum itself that would have to request that, but just stressing out optionality of the header.

Last edited by mpan (2016-07-22 21:00:59)

Arch Linux

#1 2016-07-22 11:35:24

Bad HTTP_REFERER. Cannot post using Firefox.

#2 2016-07-22 12:37:14

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#3 2016-07-22 14:18:36

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#4 2016-07-22 15:05:30

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#5 2016-07-22 15:29:46

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#6 2016-07-22 15:46:14

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#7 2016-07-22 15:52:17

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#8 2016-07-22 15:56:15

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#9 2016-07-22 16:23:25

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#10 2016-07-22 16:27:29

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#11 2016-07-22 16:32:29

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#12 2016-07-22 16:40:22

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#13 2016-07-22 20:14:23

Re: Bad HTTP_REFERER. Cannot post using Firefox.

#14 2016-07-22 20:55:46

Re: Bad HTTP_REFERER. Cannot post using Firefox.

Board footer