Bug #91414
closedStory #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes
After update from 9.5.16 to 9.5.17 I get an error 'Missing referrer for /main' in /typo3
0%
Description
I get Error #1588095935 TYPO3\CMS\Core\Http\Security\MissingReferrerException Missing referrer for /main after upgrading
Steps to reproduce:
1. try to access the backend with https://www.somedomain.tld/typo3/
Files
Updated by Richard Haeser over 4 years ago
- Is duplicate of Bug #91396: Allow SSO authentication handlers to pass SSRF referrer checks added
Updated by Oliver Hader over 4 years ago
- Status changed from New to Needs Feedback
"Missing Referrer" is a bit different to the other issues.
- Which browser version is used?
- Is the website being served from behind a (reverse) proxy?
- Are any "Referrer-Policy" HTTP headers sent or defined?
https://typo3.org/security/advisory/typo3-core-sa-2020-006 mentions a ways to work-around missing referrer by disabling the corresponding feature. Still it would be interesting for us to know why those referrer headers are missing. Thanks in advance for further feedback!
Updated by Oliver Hader over 4 years ago
- Related to Bug #91406: "#1588095936: Missing referrer for Install Tool" in TYPO3 7.6.42 ELTS added
Updated by Patrick Lenk over 4 years ago
I can confirm this issue after update to 9.5.17.
Chrome 81.0.4044.138 or Firefox 76.0.1
Website served with plesk. Proxy mode enabled (nginx forwards requests to apache via proxies)
Referrer-policy header is set to strict-origin.
Backend works again if the referrer-policy header is changed to same-origin.
Updated by Anonymous over 4 years ago
- Related to Bug #91420: MissingReferrerException TYPO3 v10.4.2 added
Updated by Oliver Hader over 4 years ago
Thanks for your feedback, and good that it works now having correct HTTP headers in place with
Referrer-Policy: same-origin
Updated by Oliver Hader over 4 years ago
- Status changed from Needs Feedback to Closed
Closing this ticket for the time being. Feel free to reopen in case there are additions. Thx
Updated by Kurt Gusbeth over 4 years ago
After Updating from TYPO3 9.5.9 to 9.5.18 we get this error message:
(1/1) #1588095935 TYPO3\CMS\Core\Http\Security\MissingReferrerException
Missing referrer for /main
We have added the header "Referrer-Policy: same-origin" to the .htaccess, but it didnĀ“t helped.
What can we do else?
Here is the header information:
/typo3/index.php?route=%2Fmain&token=ca0e633432542c6292efd8a9d4de0b359ae1f67b&referrer-refresh=1591084408
Host: www.xyz.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: be_lastLoginProvider=1433416747; be_lastLoginProvider=1433416747; _pk_id.17.4492=3990bea59705926c.1587455457.9.1591084125.1591084090.; dp_cookieconsent_status={"dp--cookie-statistics":true,"dp--cookie-marketing":true}; cookieconsent_status=dismiss; _pk_ses.17.4492=1; be_typo_user=f58c567b55c8b3fe0b0ad76c81d0ce49; phpMyAdmin=uvcumsohs2o9sn95eqmg0d503h; PHPSESSID=uvcumsohs2o9sn95eqmg0d503h
Upgrade-Insecure-Requests: 1
GET: HTTP/1.1 200 OK
Date: Tue, 02 Jun 2020 07:53:31 GMT
Server: Apache/2.4.25 (Debian)
Expires: 0
Last-Modified: Tue, 02 Jun 2020 07:53:31 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Encoding: gzip
X-UA-Compatible: IE=edge
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
Content-Length: 283
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=16000000; includeSubDomains; preload;
Updated by Kurt Gusbeth over 4 years ago
Additional information: other people does not have this problem on the same site.
Updated by Kurt Gusbeth over 4 years ago
PS: the problem can be fixed with this setting:
[SYS][features][security.backend.enforceReferrer] = false
in the Localconf.