No new topic can be created without a referrer
-
This forum cannot be used if the browser does not send a referrer. For example, I couldn't create a new topic.
-
This post is deleted! -
This behaviour still has not changed.
-
"The referrer header offers nothing for security" - this is not entirely true. Referrer checking is the simplest and most effective way to protect the user against Cross-Site Request Forging attacks.
There are other ways to protect against CSRF attacks (typically involving a CSRF form token, which depending on implementation can have either usability or security implications), but referrer checking works and has close to zero implementation cost, which is likely why NodeBB is using it.
If you wish to use a referrer blocking plugin for privacy reasons (which is a perfectly valid reason to block them), then if the plugin has the options for it, you should configure it to allow same-site origin referrals*, as these have zero privacy impact.
* A same-site origin referral is when referrers are only sent when they match the domain of the site you are viewing, and everything is stripped from the referrer URL after the domain, so even the site itself cannot track your movements through it.
-
@thomasp AFAIK you could just spoof the referrer and CSRF would be possible again.
-
@thomasp This is very true. I'll delete my misleading earlier reply. I'm not entirely sure what I was thinking when I wrote that
I think using a CSRF token is probably better, especially on a forum - a site designed to accept user-created content. A referrer alone can't protect against (for example) an attacker using a vulnerability to inject a
<script>
into a reply. -
No, the point of CSRF attacks is that a remote (evil) site triggers a request against a site you are logged in to, performing actions with your credentials. The remote site is not in a position to spoof a referrer though. Only you (the user) can do that, and if you choose to do that, that is entirely your prerogative.
-
@LonM Injecting
<script>
tags falls outside of CSRF and enters the world of XSS (Cross-Site Scripting). CSRF tokens would not protect against XSS vulnerabilities any more than referrer checking would. -
@thomasp Ok. I'll trust you on that, thank you for the fast answers.
Switched to another extensions that does not block all referrers but only 3rd party ones. Cheers!
-
@thomasp But what if (assuming such a bug existed) I could add a
<script>
to a comment that used your privileges as a member of the admin team to interact with some admin-only-visible form on the forum. If it's only checking the referrer, and you happened to see my malicious comment (thus executing the script), then that's a vulnerability.If the form was CSRF protected, i.e. it generated a nonce only when you visited that form, then that would be better than a referrer.
But maybe I'm getting mixed up. It's been a long time since I last had a class on web security.
-
@LonM An XSS vulnerability would allow the injected script to read the form nonce and just repeat it back. The only true protection against XSS is to ensure all user-provided content is safely escaped or at the very least sanitized.
-