Disabling referer network.http.sendRefererHeader leads to JIRA unable to work properly.
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
Changing the following option on firefox, about:config
- network.http.sendRefererHeader=0
- network.http.sendSecureXSiteReferrer=false
Will lead JIRA to behave abnormally and pages would not be able to load successfully. The following will be thrown in the response:
XSRF check failed
Diagnosis
Environment
- Firefox Browser
Cause
The reason on why JIRA is using network.http.sendRefererHeader=2 due to it's related to Cross Site Request Forgery (CSRF) protection changes in Atlassian REST.
The KB article above explains the behavior, specifically the referrer is required in the web request due to CSRF protection. In addition to that, htttp://kb.mozillazine.org/Network.http.sendRefererHeader also has a warning about this :
Disabling Referer headers may cause some functionality on some sites to no longer work
Workaround
The only way to use network.http.sendRefererHeader=0 or 1, is by disabling the CSRF. However, Atlassian does not recommend it as this will impact the security for JIRA.
Resolution
Do not perform any change towards the configuration, as CSRF is sufficient for the security needed on JIRA side