Task #83768

Remove referrer check on backend login

Added by Michael Schams over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Authentication
Start date:
2018-02-04
Due date:
% Done:

100%

TYPO3 Version:
7
PHP Version:
Tags:
backend browser
Complexity:
easy
Sprint Focus:

Description

Issue

Browser vendors are considering or have already announced not to send the Referer (which is part of the HTTP) when links are followed or forms are submitted. Due to the fact that TYPO3 requires the Referer URL when logging into the backend or working in the backend, this move will possibly lock out users of modern browsers.

Affected TYPO3 Versions

  • TYPO3 version 7.x → affected
  • TYPO3 version 8.x → affected
  • TYPO3 version 9.x → affected

Solution

Remove referrer check on backend login in TYPO3. TYPO3 should not rely on or require the Referer header sent by the browser, when a user logs into the backend.
Alternatively, site administrators can disable the check already (see below). However, this should become the default.

[SYS][doNotCheckReferer] = 1

References:

Firefox version 59 obscures Referrer to strengthen user's privacy (German):
https://www.heise.de/newsticker/meldung/Firefox-59-verschleiert-Referrer-fuer-besseren-Datenschutz-3960175.html

Mozilla announces to remove path information from referrers in Firefox 59:
https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/

Electronic Frontier Foundation (EFF) discovered this leak of personal health data:
https://www.eff.org/deeplinks/2015/01/healthcare.gov-sends-personal-data

Associated revisions

Revision b1034222 (diff)
Added by Michael Schams over 2 years ago

[BUGFIX] Do not check HTTP referrer anymore

Under certain circumstances some browsers do not set the HTTP referrer
anymore due to privacy reasons. Hence, checking the referrer breaks
functionality.

The configuration option [SYS][doNotCheckReferer] is also removed as
it is not needed anymore.

Resolves: #83768
Releases: master, 8.7, 7.6
Change-Id: Ia8f882e07a9e2091ceb38aee814badb97403250d
Reviewed-on: https://review.typo3.org/55556
Reviewed-by: Benni Mack <>
Tested-by: Benni Mack <>
Tested-by: TYPO3com <>
Reviewed-by: Markus Klein <>
Tested-by: Markus Klein <>
Reviewed-by: Susanne Moog <>
Tested-by: Susanne Moog <>

Revision 3f27b4f0 (diff)
Added by Benni Mack about 2 years ago

[BUGFIX] Do not check HTTP referrer anymore

Under certain circumstances some browsers do not set the HTTP referrer
anymore due to privacy reasons. Hence, checking the referrer breaks
functionality.

Resolves: #83768
Releases: master, 8.7, 7.6
Change-Id: Ia8f882e07a9e2091ceb38aee814badb97403250d
Reviewed-on: https://review.typo3.org/55818
Reviewed-by: Markus Klein <>
Tested-by: Markus Klein <>
Tested-by: TYPO3com <>
Reviewed-by: Stefan Neufeind <>
Tested-by: Stefan Neufeind <>

Revision eb3a4dbd (diff)
Added by Benni Mack about 2 years ago

[BUGFIX] Do not check HTTP referrer anymore

Under certain circumstances some browsers do not set the HTTP referrer
anymore due to privacy reasons. Hence, checking the referrer breaks
functionality.

Resolves: #83768
Releases: master, 8.7, 7.6
Change-Id: Ia8f882e07a9e2091ceb38aee814badb97403250d
Reviewed-on: https://review.typo3.org/55819
Reviewed-by: Markus Klein <>
Tested-by: Markus Klein <>
Tested-by: TYPO3com <>

History

#1 Updated by Michael Schams over 2 years ago

  • Description updated (diff)

#2 Updated by Helmut Hummel over 2 years ago

Since the referrer check was some poor mans CSRF protection,
which we now replaced with CSRF protection tokens for every backend action,
the referrer check became obsolete.

We can safely remove it in master and deactivate (or evan also remove it) in released bramches.

#3 Updated by Markus Klein over 2 years ago

  • Status changed from New to Accepted
  • Target version set to Candidate for patchlevel
  • Complexity set to easy

#4 Updated by Gerrit Code Review over 2 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55556

#5 Updated by Gerrit Code Review over 2 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55556

#6 Updated by Michael Schams over 2 years ago

  • Description updated (diff)

#7 Updated by Gerrit Code Review over 2 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55556

#8 Updated by Anonymous over 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#9 Updated by Susanne Moog over 2 years ago

  • Parent task set to #83894

#10 Updated by Susanne Moog over 2 years ago

  • Parent task deleted (#83894)

#11 Updated by Gerrit Code Review over 2 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55818

#12 Updated by Gerrit Code Review over 2 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55819

#13 Updated by Gerrit Code Review over 2 years ago

Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55818

#14 Updated by Gerrit Code Review about 2 years ago

Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55818

#15 Updated by Gerrit Code Review about 2 years ago

Patch set 2 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55819

#16 Updated by Benni Mack about 2 years ago

  • Status changed from Under Review to Resolved

#17 Updated by Benni Mack over 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF