How to Fix MODx CSRF Error when Using Firefox 3.5

This article describes how to fix the error “A possible CSRF attempt was detected. No referer was provided by the server.” that recently appeared when I upgraded to MODx 1.0.2.

MODx + FF

I use WordPress for all of my blogs, but my CMS of choice is MODx, hands down. As I recently mentioned on the forums and on Twitter, the update to version 1.0.2 started causing a very frustrating problem when accessing the manager in my copy of Firefox 3.5. The good news was that the problem did not seem to appear in Safari, so I was able to get into the manager from there.

The error shows up like this: A possible CSRF attempt was detected. No referer was provided by the server.

If you go to the MODx forums, you’ll see that they suggest any of the following: 1.) reinstall, 2.) go into your database or site cache file and change the value of Validate HTTP_REFERER headers to “0”, or 3.) turning the Validate HTTP_REFERER headers option off in the configuration settings using a browser that can access the manager successfully.

I tried all of these and they do work. However, none of these is an actual solution. For one, this security feature was added for a reason, and when it’s disabled, your Manager displays a constant warning about it. Also, if you change this manually in your site cache file, it somehow changes from “0” to “00” and the problem returns. Another reason is that I launch new sites with MODx at least once a month and I didn’t want to have to do that every single time I install.

I thought about it for a while and it hit me: the key word here is “referer”. The lack of a referrer made me think of the Firefox about:config panel because I had run into something similar not too long ago.

You see, a while back, I came across a blog posting on the Net somewhere that was entitled something like “How to Optimize Your Firefox Installation”. In it, there was a list of suggested “tweaks” that one would apply in the about:config panel that would theoretically speed up Firefox and make an overall “more optimized” application. One of these supposedly helpful suggestions was to instruct Firefox to NOT send referrer information. Well, I didn’t nit-pick the changes… I just applied them *Facepalm*. It took me over a year to notice that blocking referrer information was actually breaking some functionality on a few sites that I visit.

The Solution

Once I realized that mine was set to block, I made the necessary change, and now the problem is fixed. To get rid of the CSRF error, I went to the about:config of Firefox and found the integer for network.http.sendRefererHeader, which was set to 0, and reset it 2 in order to send the proper referrer information to the website.

Modifying the setting in about:config

Why This Works

Here’s some information about the different sendRefererHeader settings in the Firefox about:config from The Cafes that helps explain what’s going on here.

Setting it to 1 sends a referer header when following a link to another page, but not when loading images on the page. This will block most cross-site cookie tracking, but still allow WordPress and most other sites that depend on referers to function. Setting sendRefererHeader to 2 (the default) sends it when following links and when loading images on the page.

In the case of MODx, setting the integer to “1” does not work. It must be set to the default of “2”. So if you may have been poking around in your Firefox settings at one time or another, make sure to check this setting if you’re experiencing problems with your MODx installation.

Note: I upgraded from 0.9.6 to 1.0.2, so this problem may exist in other versions of MODx, such as 1.0.1 and likely affects all versions of Firefox.

Note: If you are having this problem and Firefox is not the culprit, you might have some other software on your computer that is blocking the sending of referrer information in an effort to protect your privacy. Some forum postings suggest that Norton Anti-Virus may also cause this error.

Comments

8 Comments

  1. Sal B / @mayhemchaos writes:

    Nice debugging there Aaron. For awhile I thought you were having a Firefox on Mac issue.

    I think that article on Optimizing Firefox came from LifeHacker.

    Nice write up either way.

  2. Steve writes:

    Thanks for the tip! I actually had my referrers disables from the web developer tool bar, this post saved me a lot of searching and unnecessary trouble!

  3. Tibor writes:

    Well this error just happened to me, after I installed Google PageSpeed plugin for Firefox, and then Firebug. As I type this Firebug is not activated yet; so I’ll disable PageSpeed and let you know…

  4. Tibor writes:

    Firebug disabled & PageSpeed disabled : modx manager works

    Firebug enabled & PageSpeed disabled : modx manager does not work

    Firebug disabled & PageSpeed enabled (it’s useless, but …) modx manager works

    Anyway Firebug is eating too much resource, so I’ll just disable it when it’s not needed :)

  5. Frank writes:

    Hey, I just installed 1.0.3 locally on my Mac (MAMP 1.84) and the CSRF is back again. The SendRefererHeader was already on 2. So this doesn’t do it for me. I do have a strict M0n0wall protection for my ISP, but this is runs locally! This could mean this CSRF attack came from within? I wonder what the real thing is here, I dont get it.

  6. .abelafonte writes:

    No, I’ve never had that type of setup, but I’m sure that the error may have something to do with accessing a local site locally.

    I assume that you wouldn’t be allowing any external access to this local installation, so you should be good with disabling the feature in the MODx admin.

  7. Arkh writes:

    Wait.
    ModX is using the referrer as a way to prevent CSRF ? Are you kidding ?
    Is it too hard to do it right with unique random tokens ?

  8. Jesse writes:

    Thanks for this. I have been having this same problem when using Firefox 12.0. I have never messed with the settings, but the value was indeed set to “0” when I checked. Cheers.