Can't post here if using NoScript and Firefox

MountainX · 2016-07-19 01:21:33

My normal Firefox profile includes the NoScript add-on. I have whitelisted archlinux.org in a few places in NoScript but I continue to get the error shown:

Bad HTTP_REFERER. You were referred to this page from an unauthorized source. If the problem persists please make sure that 'Base URL' is correctly set in Admin/Options and that you are visiting the forum by navigating to that URL. More information regarding the referrer check can be found in the FluxBB documentation.

Next I installed an add-on called RefControl and told it to force sending the normal headers to bbs.archlinux.org. That did not help. There must be another add-on that is contributing to the problem. (HTTPS Everywhere?)

Has anyone gotten NoScript to work with FluxBB?

Last edited by MountainX (2016-07-19 01:22:20)

ronw · 2016-07-19 01:46:13

MountainX wrote:

Has anyone gotten NoScript to work with FluxBB?

I run NoScript and don't have any trouble using the forums with archlinux.org allowed.

MountainX · 2016-07-19 02:02:57

ronw wrote:

MountainX wrote:
Has anyone gotten NoScript to work with FluxBB?
I run NoScript and don't have any trouble using the forums with archlinux.org allowed.

Can we compare NoScript settings? In NoScript options I have archlinux.org whitelisted. Under Advanced | XSS, I have both checkboxes checked and I have arch whitelisted with this regex:

 ^https?://[a-z]+\.archlinux\.org/[^"<>\?%]+$

I have not changed any other NoScript settings that I know of.

A test Firefox profile with no add-ons allows me to post here. My normal Firefox profile has NoScript, Adblock Plus (disabled on archlinux.org) and PrivacyFox. So it must be one or more of those... but I only have the problem on Arch forums (I guess it is the only FluxBB site I visit regularly).

Last edited by MountainX (2016-07-19 02:03:45)

ronw · 2016-07-19 02:09:18

I have both options checked in the XSS panel (must be the default, I haven't changed those).

Nothing about archlinux.org in the Anti-XSS Exceptions.

Bad referer sounds like something Privacy Fox might do. In any case, disabling each in turn should pinpoint which extension is causing the problem.

MountainX · 2016-07-19 02:09:18

I had read a post where an Arch forum admin (or moderator?) said this issue was related to NoScript. Based on ronw's post, I tried disabling NoScript and leaving my other add-ons unchanged. It turns out that I still have the problem without NoScript, so something else is causing it.

MountainX · 2016-07-19 02:19:01

It turns out that the issue was not any of my add-ons. It was the following setting in about:config:

network.http.sendRefererHeader’ value=0

Setting that back to 2 allows me to post. But I would prefer not to have to do that. I'm not sure why FluxBB forces this privacy-unfriendly mode. Most websites I visit don't complain at all.

Background:

When you click on a hyperlink to visit a webpage, the URL of the webpage you came from is normally identified and recorded (in its ‘referer log’) by the new page.
While generally a useful piece of information for visited websites, the information contained in a referrer can be abused to track website visitors across the internet, especially when combined with cookies and other tracking techniques. Search engines, in particular, are bad at giving away information in Referer Headings, as they often include the search terms used to find a web page.
In Firefox it is easy to prevent the browser sending referrer information when you click on a URL.
Type ‘about:config’ in the URL bar, and hit enter (you may have to click though a, ‘I’ll be careful, I promise!’ warning)
In the search bar type ‘network.http.sendRefererHeader’
Double-click on the ‘network.http.sendRefererHeader’ preference when it comes up
Enter an integer value of 0, 1, or 2 or in the dialog box, then hit OK and close the ‘about:config’ tab
Firefox referer heading
The integer value you enter into step 4 determines how Firefox handles Referer Headings:
Value 0 – completely disables the Referer Header. This is probably what you want, but it does break some websites (most notably WordPress)
Value 1 – Sends a Referer header when clicking on a link, but not when loading images on a page. This should prevent most cross-site tracking using cookies, whilst also allowing sites that rely on Referer Headers (such as WP) to function properly
Value 2 – This is the default setting, and sends the Referrer Header.

MountainX · 2016-07-19 02:23:48

UPDATE: I did get it working with the RefControl Firefox add-on. That add-on can block sending referrer headers by default but can whitelist bbs.archlinux.org.

Last edited by MountainX (2016-07-19 02:28:26)

jasonwryan · 2016-07-19 02:27:32

Please learn to use the edit button, and stop bumping your thread: https://wiki.archlinux.org/index.php/Co … ct#Bumping

Arch Linux

#1 2016-07-19 01:21:33

Can't post here if using NoScript and Firefox

#2 2016-07-19 01:46:13

Re: Can't post here if using NoScript and Firefox

#3 2016-07-19 02:02:57

Re: Can't post here if using NoScript and Firefox

#4 2016-07-19 02:09:18

Re: Can't post here if using NoScript and Firefox

#5 2016-07-19 02:09:18

Re: Can't post here if using NoScript and Firefox

#6 2016-07-19 02:19:01

Re: Can't post here if using NoScript and Firefox

#7 2016-07-19 02:23:48

Re: Can't post here if using NoScript and Firefox

#8 2016-07-19 02:27:32

Re: Can't post here if using NoScript and Firefox

Board footer