> Date: Tue, 22 Oct 2013 13:08:05 -0400 > From: Kevin Falcone <[email protected]> > To: [email protected] > Subject: Re: [rt-users] Restrictions and limitations on use of > ReferrerWhitelist, RestrictReferrer, RestrictReferrer (cross-site > request forgery warning message) > Message-ID: <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > On Mon, Oct 21, 2013 at 03:30:08PM -0700, Duncan Napier wrote: > > > > > ReferrerWhitelist [(Set(@ReferrerWhitelist, qw(*.example.com:443 > > *.example.com:80));] and Set RestrictLoginReferrer=0 do not seem to > > work at all and all users, priviliged and unpriviliged and all > > users > > get the cross-site request forgery message. > > > As for @ReferrerWhitelist, you'd have to show an actual error message > to compare with the domains that you're whitelisting in order to know > what's wrong. This is the preferred solution (white list the source > of your ticket form submissions). > > -kevin
OK ... thanks for clarification. I think my problem with the Whitelist is that I have whitespace in my $Organization name. The Apache error log shows [Fri Oct 25 20:03:48 2013] [error]: your $Organization setting (Another Company) appears to contain whitespace. Please fix this. (/usr/local/rt/sbin/../lib/RT/Config.pm:505) [Fri Oct 25 20:03:48 2013] [notice]: Possible CSRF: your browser did not supply a Referrer header (/usr/local/rt/sbin/../lib/RT/Interface/Web.pm:1458) Does Whitelist use $Organization as a reference/lookup? When I set RT up, using my domain didn't make much sense because MY domain is different from the organizational unit that I am supporting, so I put in the ACTUAL NAME of the the other organizational unit I support. I realize now that spaces in $Organization are not allowed in RT, but I have not had any problems up to now. I am prepared to change it if necessary and I have seen instructions on this list to do an $Organization search-and-replace in MySQL to preserve links.
