How to Fix MODx CSRF Error when Using Firefox 3.5December 28, 2009 | Tags for this entry: MODx, solutions
This article describes how to fix the error “A possible CSRF attempt was detected. No referer was provided by the server.” that recently appeared when I upgraded to MODx 1.0.2.
I use WordPress for all of my blogs, but my CMS of choice is MODx, hands down. As I recently mentioned on the forums and on Twitter, the update to version 1.0.2 started causing a very frustrating problem when accessing the manager in my copy of Firefox 3.5. The good news was that the problem did not seem to appear in Safari, so I was able to get into the manager from there.
The error shows up like this: A possible CSRF attempt was detected. No referer was provided by the server.
If you go to the MODx forums, you’ll see that they suggest any of the following: 1.) reinstall, 2.) go into your database or site cache file and change the value of
Validate HTTP_REFERER headers to “0”, or 3.) turning the
Validate HTTP_REFERER headers option off in the configuration settings using a browser that can access the manager successfully.
I tried all of these and they do work. However, none of these is an actual solution. For one, this security feature was added for a reason, and when it’s disabled, your Manager displays a constant warning about it. Also, if you change this manually in your site cache file, it somehow changes from “0” to “00” and the problem returns. Another reason is that I launch new sites with MODx at least once a month and I didn’t want to have to do that every single time I install.
I thought about it for a while and it hit me: the key word here is “referer”. The lack of a referrer made me think of the Firefox
about:config panel because I had run into something similar not too long ago.
You see, a while back, I came across a blog posting on the Net somewhere that was entitled something like “How to Optimize Your Firefox Installation”. In it, there was a list of suggested “tweaks” that one would apply in the
about:config panel that would theoretically speed up Firefox and make an overall “more optimized” application. One of these supposedly helpful suggestions was to instruct Firefox to NOT send referrer information. Well, I didn’t nit-pick the changes… I just applied them *Facepalm*. It took me over a year to notice that blocking referrer information was actually breaking some functionality on a few sites that I visit.
Once I realized that mine was set to block, I made the necessary change, and now the problem is fixed. To get rid of the CSRF error, I went to the
about:config of Firefox and found the integer for
network.http.sendRefererHeader, which was set to
0, and reset it
2 in order to send the proper referrer information to the website.
Why This Works
Here’s some information about the different sendRefererHeader settings in the Firefox
about:config from The Cafes that helps explain what’s going on here.
Setting it to 1 sends a referer header when following a link to another page, but not when loading images on the page. This will block most cross-site cookie tracking, but still allow WordPress and most other sites that depend on referers to function. Setting sendRefererHeader to 2 (the default) sends it when following links and when loading images on the page.
In the case of MODx, setting the integer to “1” does not work. It must be set to the default of “2”. So if you may have been poking around in your Firefox settings at one time or another, make sure to check this setting if you’re experiencing problems with your MODx installation.
Note: I upgraded from 0.9.6 to 1.0.2, so this problem may exist in other versions of MODx, such as 1.0.1 and likely affects all versions of Firefox.
Note: If you are having this problem and Firefox is not the culprit, you might have some other software on your computer that is blocking the sending of referrer information in an effort to protect your privacy. Some forum postings suggest that Norton Anti-Virus may also cause this error.