Submitted by jasongayson on Thu, 02/07/2013 - 20:53
This is not a configuration issue.
My browser sends referrer headers. The module config is perfectly set up.
I get no warnings about invalid referrers. Not at Webmin/Virtualmin. Not at Usermin.
Their checks are both bugged.
Status:
Closed (works as designed)
Comments
Submitted by JamieCameron on Thu, 02/07/2013 - 21:48 Comment #1
Can you give more details about exactly how the referrer checking isn't working for you?
Submitted by jasongayson on Thu, 02/07/2013 - 21:59 Comment #2
The browser is sending a referrer of https://panel..com, and the Webmin module is at https://.subnet.mysite.com/
I've enabled all options in the Trusted Referrers section, but did NOT add "panel.mysite.com" to trusted referrers. I wanted to verify that the module works first.
The thing is - it doesn't. It doesn't warn at all. About anything. Not on the landing page, nor after login. It just doesn't work.
I verified that my browser is sending Referrer headers, so it's not at fault.
In fact, the referrer checking works fine in Cloudmin, but not in Virtualmin and Usermin.
If I try to open a Cloudmin tunnel via "open in a new tab," my browser omits the referrer, and it complains loudly. So hey at least the referrer checking code works in one place! ;)
Submitted by JamieCameron on Thu, 02/07/2013 - 22:26 Comment #3
The referring checking is only enforced if you link to a page inside Webmin that performs some action - linking to the first page or the index page of most modules is considered safe, and so won't trigger any referrer warning.
Submitted by jasongayson on Fri, 02/08/2013 - 00:14 Comment #4
Oh. That behavior needs to be in the docs ("Help" page). Wasn't obvious from the description.
Submitted by JamieCameron on Fri, 02/08/2013 - 00:16 Comment #5
I'll add that to the help..