web gui logins fail when http referer header disable in browser

[sysfu]

I like to keep the send http referer header option disabled in my web browsers for privacy reasons. I noticed that this breaks FreeNAS web gui logins however.

Can this please be fixed so that logins can be made without sending the http referer header?

Below is the error message.

Forbidden (403)

CSRF verification failed. Request aborted.
You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.
If you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests.
More information is available with DEBUG=True.

 

[cyberjock]

This is a question you might want to ask in IRC. The short answer I think is "not a chance this will happen". But I'll let the developers comment on it.

 

[sysfu]

I'm happy to ask in IRC but I also wanted to get this question posted in the forums for so that others searching on the topic can find it.

Do you care to speculate on why the request is not likely to be accommodated?

PfSense does not require the use of the referer header in order to log in.