Project

General

Profile

Actions

Task #83768

closed

Remove referrer check on backend login

Added by Michael Schams about 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Authentication
Start date:
2018-02-04
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
backend browser
Complexity:
easy
Sprint Focus:

Description

Issue

Browser vendors are considering or have already announced not to send the Referer (which is part of the HTTP) when links are followed or forms are submitted. Due to the fact that TYPO3 requires the Referer URL when logging into the backend or working in the backend, this move will possibly lock out users of modern browsers.

Affected TYPO3 Versions

  • TYPO3 version 7.x → affected
  • TYPO3 version 8.x → affected
  • TYPO3 version 9.x → affected

Solution

Remove referrer check on backend login in TYPO3. TYPO3 should not rely on or require the Referer header sent by the browser, when a user logs into the backend.
Alternatively, site administrators can disable the check already (see below). However, this should become the default.

[SYS][doNotCheckReferer] = 1

References:

Firefox version 59 obscures Referrer to strengthen user's privacy (German):
https://www.heise.de/newsticker/meldung/Firefox-59-verschleiert-Referrer-fuer-besseren-Datenschutz-3960175.html

Mozilla announces to remove path information from referrers in Firefox 59:
https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/

Electronic Frontier Foundation (EFF) discovered this leak of personal health data:
https://www.eff.org/deeplinks/2015/01/healthcare.gov-sends-personal-data

Actions

Also available in: Atom PDF