How to Fix MODx CSRF Error when Using Firefox 3.5
December 28, 2009 | Tags for this entry: MODx, solutionsThis article describes how to fix the error “A possible CSRF attempt was detected. No referer was provided by the server.” that recently appeared when I upgraded to MODx 1.0.2.
I use WordPress for all of my blogs, but my CMS of choice is MODx, hands down. As I recently mentioned on the forums and on Twitter, the update to version 1.0.2 started causing a very frustrating problem when accessing the manager in my copy of Firefox 3.5. The good news was that the problem did not seem to appear in Safari, so I was able to get into the manager from there.
The error shows up like this: A possible CSRF attempt was detected. No referer was provided by the server.
If you go to the MODx forums, you’ll see that they suggest any of the following: 1.) reinstall, 2.) go into your database or site cache file and change the value of Validate HTTP_REFERER headers
to “0”, or 3.) turning the Validate HTTP_REFERER headers
option off in the configuration settings using a browser that can access the manager successfully.
I tried all of these and they do work. However, none of these is an actual solution. For one, this security feature was added for a reason, and when it’s disabled, your Manager displays a constant warning about it. Also, if you change this manually in your site cache file, it somehow changes from “0” to “00” and the problem returns. Another reason is that I launch new sites with MODx at least once a month and I didn’t want to have to do that every single time I install.
I thought about it for a while and it hit me: the key word here is “referer”. The lack of a referrer made me think of the Firefox about:config
panel because I had run into something similar not too long ago.
You see, a while back, I came across a blog posting on the Net somewhere that was entitled something like “How to Optimize Your Firefox Installation”. In it, there was a list of suggested “tweaks” that one would apply in the about:config
panel that would theoretically speed up Firefox and make an overall “more optimized” application. One of these supposedly helpful suggestions was to instruct Firefox to NOT send referrer information. Well, I didn’t nit-pick the changes… I just applied them *Facepalm*. It took me over a year to notice that blocking referrer information was actually breaking some functionality on a few sites that I visit.
The Solution
Once I realized that mine was set to block, I made the necessary change, and now the problem is fixed. To get rid of the CSRF error, I went to the about:config
of Firefox and found the integer for network.http.sendRefererHeader
, which was set to 0
, and reset it 2
in order to send the proper referrer information to the website.
Why This Works
Here’s some information about the different sendRefererHeader settings in the Firefox about:config
from The Cafes that helps explain what’s going on here.
Setting it to 1 sends a referer header when following a link to another page, but not when loading images on the page. This will block most cross-site cookie tracking, but still allow WordPress and most other sites that depend on referers to function. Setting sendRefererHeader to 2 (the default) sends it when following links and when loading images on the page.
In the case of MODx, setting the integer to “1” does not work. It must be set to the default of “2”. So if you may have been poking around in your Firefox settings at one time or another, make sure to check this setting if you’re experiencing problems with your MODx installation.
Note: I upgraded from 0.9.6 to 1.0.2, so this problem may exist in other versions of MODx, such as 1.0.1 and likely affects all versions of Firefox.
Note: If you are having this problem and Firefox is not the culprit, you might have some other software on your computer that is blocking the sending of referrer information in an effort to protect your privacy. Some forum postings suggest that Norton Anti-Virus may also cause this error.
December 28th, 2009 at 9:06 am
Nice debugging there Aaron. For awhile I thought you were having a Firefox on Mac issue.
I think that article on Optimizing Firefox came from LifeHacker.
Nice write up either way.
January 16th, 2010 at 7:02 am
Thanks for the tip! I actually had my referrers disables from the web developer tool bar, this post saved me a lot of searching and unnecessary trouble!
February 3rd, 2010 at 11:19 am
Well this error just happened to me, after I installed Google PageSpeed plugin for Firefox, and then Firebug. As I type this Firebug is not activated yet; so I’ll disable PageSpeed and let you know…
February 3rd, 2010 at 11:26 am
Firebug disabled & PageSpeed disabled : modx manager works
Firebug enabled & PageSpeed disabled : modx manager does not work
Firebug disabled & PageSpeed enabled (it’s useless, but …) modx manager works
Anyway Firebug is eating too much resource, so I’ll just disable it when it’s not needed 🙂
April 13th, 2010 at 1:24 pm
Hey, I just installed 1.0.3 locally on my Mac (MAMP 1.84) and the CSRF is back again. The SendRefererHeader was already on 2. So this doesn’t do it for me. I do have a strict M0n0wall protection for my ISP, but this is runs locally! This could mean this CSRF attack came from within? I wonder what the real thing is here, I dont get it.
April 13th, 2010 at 9:05 pm
No, I’ve never had that type of setup, but I’m sure that the error may have something to do with accessing a local site locally.
I assume that you wouldn’t be allowing any external access to this local installation, so you should be good with disabling the feature in the MODx admin.
May 28th, 2010 at 2:51 am
Wait.
ModX is using the referrer as a way to prevent CSRF ? Are you kidding ?
Is it too hard to do it right with unique random tokens ?
May 24th, 2012 at 2:07 pm
Thanks for this. I have been having this same problem when using Firefox 12.0. I have never messed with the settings, but the value was indeed set to “0” when I checked. Cheers.