Disabling referer network.http.sendRefererHeader leads to JIRA unable to work properly.

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

 

Problem

Changing the following option on firefox, about:config

  • network.http.sendRefererHeader=0
  • network.http.sendSecureXSiteReferrer=false

Will lead JIRA to behave abnormally and pages would not be able to load successfully. The following will be thrown in the response:

XSRF check failed

Diagnosis

Environment

  • Firefox Browser

Cause

The reason on why JIRA is using network.http.sendRefererHeader=2 due to it's related to Cross Site Request Forgery (CSRF) protection changes in Atlassian REST.

The KB article above explains the behavior, specifically the referrer is required in the web request due to CSRF protection. In addition to that, htttp://kb.mozillazine.org/Network.http.sendRefererHeader also has a warning about this :

 

Disabling Referer headers may cause some functionality on some sites to no longer work

 

Workaround

The only way to use network.http.sendRefererHeader=0 or 1, is by disabling the CSRF. However, Atlassian does not recommend it as this will impact the security for JIRA.

Resolution

Do not perform any change towards the configuration, as CSRF is sufficient for the security needed on JIRA side

 

Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.