Task #83768
closed
Remove referrer check on backend login
100%
Description
Issue¶
Browser vendors are considering or have already announced not to send the Referer (which is part of the HTTP) when links are followed or forms are submitted. Due to the fact that TYPO3 requires the Referer URL when logging into the backend or working in the backend, this move will possibly lock out users of modern browsers.
Affected TYPO3 Versions¶
- TYPO3 version 7.x → affected
- TYPO3 version 8.x → affected
- TYPO3 version 9.x → affected
Solution¶
Remove referrer check on backend login in TYPO3. TYPO3 should not rely on or require the Referer header sent by the browser, when a user logs into the backend.
Alternatively, site administrators can disable the check already (see below). However, this should become the default.
[SYS][doNotCheckReferer] = 1
References:¶
Firefox version 59 obscures Referrer to strengthen user's privacy (German):
https://www.heise.de/newsticker/meldung/Firefox-59-verschleiert-Referrer-fuer-besseren-Datenschutz-3960175.html
Mozilla announces to remove path information from referrers in Firefox 59:
https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/
Electronic Frontier Foundation (EFF) discovered this leak of personal health data:
https://www.eff.org/deeplinks/2015/01/healthcare.gov-sends-personal-data
Updated by
Updated by Helmut Hummel almost 7 years ago
Since the referrer check was some poor mans CSRF protection,
which we now replaced with CSRF protection tokens for every backend action,
the referrer check became obsolete.
We can safely remove it in master and deactivate (or evan also remove it) in released bramches.
Updated by Markus Klein almost 7 years ago
- Status changed from New to Accepted
- Target version set to Candidate for patchlevel
- Complexity set to easy
Updated by Gerrit Code Review almost 7 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55556
Updated by Gerrit Code Review almost 7 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55556
Updated by Gerrit Code Review almost 7 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55556
Updated by Anonymous almost 7 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset b103422261a06579cd5dc1a996a39e721a378042.
Updated by
Updated by Gerrit Code Review almost 7 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55818
Updated by Gerrit Code Review almost 7 years ago
Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55819
Updated by Gerrit Code Review almost 7 years ago
Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55818
Updated by Gerrit Code Review over 6 years ago
Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55818
Updated by Gerrit Code Review over 6 years ago
Patch set 2 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55819
Updated by Benni Mack over 6 years ago
- Status changed from Under Review to Resolved
Applied in changeset 3f27b4f069cb6f87ae6dea9143adfc0d456cf6de.