Bug #91414

Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes

After update from 9.5.16 to 9.5.17 I get an error 'Missing referrer for /main' in /typo3

Added by Bernhard Giner 8 months ago. Updated 4 months ago.

Should have
Backend User Interface
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


I get Error #1588095935 TYPO3\CMS\Core\Http\Security\MissingReferrerException Missing referrer for /main after upgrading

Steps to reproduce:
1. try to access the backend with https://www.somedomain.tld/typo3/


TYPO3_Exception#1588095935.html (43.1 KB) TYPO3_Exception#1588095935.html Bernhard Giner, 2020-05-15 15:22

Related issues

Related to TYPO3 Core - Bug #91406: "#1588095936: Missing referrer for Install Tool" in TYPO3 7.6.42 ELTSClosedAndreas Fernandez2020-05-14

Related to TYPO3 Core - Bug #91420: MissingReferrerException TYPO3 v10.4.2Closed2020-05-16

Is duplicate of TYPO3 Core - Bug #91396: Allow SSO authentication handlers to pass SSRF referrer checksClosedOliver Hader2020-05-14


Updated by Richard Haeser 8 months ago

  • Is duplicate of Bug #91396: Allow SSO authentication handlers to pass SSRF referrer checks added

Updated by Oliver Hader 8 months ago

  • Status changed from New to Needs Feedback

"Missing Referrer" is a bit different to the other issues.

  • Which browser version is used?
  • Is the website being served from behind a (reverse) proxy?
  • Are any "Referrer-Policy" HTTP headers sent or defined?

https://typo3.org/security/advisory/typo3-core-sa-2020-006 mentions a ways to work-around missing referrer by disabling the corresponding feature. Still it would be interesting for us to know why those referrer headers are missing. Thanks in advance for further feedback!


Updated by Oliver Hader 8 months ago

  • Related to Bug #91406: "#1588095936: Missing referrer for Install Tool" in TYPO3 7.6.42 ELTS added

Updated by Patrick no-lastname-given 8 months ago

I can confirm this issue after update to 9.5.17.

Chrome 81.0.4044.138 or Firefox 76.0.1
Website served with plesk. Proxy mode enabled (nginx forwards requests to apache via proxies)
Referrer-policy header is set to strict-origin.

Backend works again if the referrer-policy header is changed to same-origin.


Updated by K. F. 8 months ago

  • Related to Bug #91420: MissingReferrerException TYPO3 v10.4.2 added

Updated by Oliver Hader 8 months ago

Thanks for your feedback, and good that it works now having correct HTTP headers in place with

Referrer-Policy: same-origin


Updated by Oliver Hader 8 months ago

  • Status changed from Needs Feedback to Closed

Closing this ticket for the time being. Feel free to reopen in case there are additions. Thx


Updated by Oliver Hader 8 months ago

  • Parent task set to #91384

Updated by Kurt Gusbeth 8 months ago

After Updating from TYPO3 9.5.9 to 9.5.18 we get this error message:

(1/1) #1588095935 TYPO3\CMS\Core\Http\Security\MissingReferrerException
Missing referrer for /main

We have added the header "Referrer-Policy: same-origin" to the .htaccess, but it didnĀ“t helped.
What can we do else?
Here is the header information:

Host: www.xyz.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: be_lastLoginProvider=1433416747; be_lastLoginProvider=1433416747; _pk_id.17.4492=3990bea59705926c.1587455457.9.1591084125.1591084090.; dp_cookieconsent_status={"dp--cookie-statistics":true,"dp--cookie-marketing":true}; cookieconsent_status=dismiss; _pk_ses.17.4492=1; be_typo_user=f58c567b55c8b3fe0b0ad76c81d0ce49; phpMyAdmin=uvcumsohs2o9sn95eqmg0d503h; PHPSESSID=uvcumsohs2o9sn95eqmg0d503h
Upgrade-Insecure-Requests: 1

GET: HTTP/1.1 200 OK
Date: Tue, 02 Jun 2020 07:53:31 GMT
Server: Apache/2.4.25 (Debian)
Expires: 0
Last-Modified: Tue, 02 Jun 2020 07:53:31 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Encoding: gzip
X-UA-Compatible: IE=edge
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
Content-Length: 283
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=16000000; includeSubDomains; preload;


Updated by Kurt Gusbeth 8 months ago

Additional information: other people does not have this problem on the same site.


Updated by Kurt Gusbeth 4 months ago

PS: the problem can be fixed with this setting:
[SYS][features][security.backend.enforceReferrer] = false
in the Localconf.

Also available in: Atom PDF