Mailing List Archive: Request Tracker: Users

Any way to disable "cross-site request forgery" ?

Index | Next | Previous | View Threaded

methier at CGR

Sep 14, 2012, 12:37 PM

Post #1 of 2 (1366 views)
Permalink

Any way to disable "cross-site request forgery" ?

Hi,

We have a RT 4.0.7 instance setup that can be accessed by 2 different urls.
With one url we get this message:

RT has detected a possible cross-site request forgery for this
request, because the Referrer header supplied by your browser
(prodrt.rcs.fas.harvard.edu:443) is not allowed by RT's configured
hostname (prodrt.fas.harvard.edu:443). This is possibly caused by a
malicious attacker trying to perform actions against RT on your
behalf. If you did not initiate this request, then you should alert
your security team.

The other url path we don't. This is annoying to some of the people using RT.
Is there any way to disabled these warnings ? This didn't exist in an earlier
version of RT we were running (v3.8.8).

Thanks,
Mike

trs at bestpractical

Sep 14, 2012, 12:41 PM

Post #2 of 2 (1340 views)
Permalink

Re: Any way to disable "cross-site request forgery" ? [In reply to]

On 09/14/2012 12:37 PM, Ethier, Michael wrote:
> Is there any way to disabled these warnings ? This didn’t exist in an
> earlier version of RT we were running (v3.8.8).

http://bestpractical.com/rt/docs/4.0/RT_Config.html#ReferrerWhitelist

--------
Final RT training for 2012 in Atlanta, GA - October 23 & 24
http://bestpractical.com/training

We're hiring! http://bestpractical.com/jobs

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads