Bug 9584 – CSRF error message need some layout tweaks to not discourage users.

Bug 9584 - CSRF error message need some layout tweaks to not discourage users.

Summary:

CSRF error message need some layout tweaks to not discourage users.

Status:	CLOSED FIXED

Product:	Logitech Media Server
Classification:	Unclassified
Component:	Web Interface
Version:	7.4.0
Platform:	PC Other

Importance:	P5 normal (vote)
Target Milestone:	7.4.0
Assigned To:	Michael Herger

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-09-25 08:21 UTC by Michael Herger
Modified:	2009-10-05 14:26 UTC (History)
CC List:	2 users (show)

See Also:
Category:	---

Attachments
example error message (31.67 KB, image/png) 2008-09-25 08:44 UTC, Michael Herger	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Herger 2008-09-25 08:21:30 UTC

Our CSRF protection is checking for referer in the HTTP headers. An increasing number of products ("Internet security suites", FF add-ons etc.) offer to remove that header as part of the privacy protection. 

In this case the user is faced with an ugly error message when trying to set some preference. (o-tone tester: "I get the world's ugliest, the worst error message I've ever seen. It's hilarious. It instantly tells you not to read it.")

The descriptions are way too technical for users to understand. In the best case they will just turn it off because they want to get SC working.

We should 
- consider disabling CSRF protection by default
- re-design the error page, as it's daunting

Comment 1 Michael Herger 2008-09-25 08:44:20 UTC

Created attachment 4059 [details]
example error message

Languages with accented characters are even worse, as the characters are broken...

Comment 2 Adrian Smith 2008-09-26 11:14:51 UTC

Could you dissable by default if the client is the same host as the server or on the local network?

Comment 3 Michael Herger 2008-09-28 12:59:31 UTC

I'd assume most "threats" come from the localhost: a mail with a dodgy link in it, sent to you.

Comment 4 Chris Owens 2008-09-29 10:20:37 UTC

Andy agrees it should be disabled by default

Comment 5 Michael Herger 2008-09-29 23:16:51 UTC

change 23333 - CSRF protection is now disabled by default. Still need to improve the error page's layout.

Comment 6 Michael Herger 2009-04-22 04:01:48 UTC

change 26175 - in the CSRF error page only show url without the parameters. It's too confusing.

Comment 7 Peter Watkins 2009-05-03 21:00:36 UTC

I think it would be better to go back to defaulting to Medium protection and add some code in the default skin to detect Referer problems and inform the user than to disable the protection for all new users -- much as many web apps use code to detect pop-up blockers. I'm grateful, though, that you're still giving users the option to turn on the protection.

I agree the error message is hideous (and I wrote it). Beyond fixing the awful \" junk, it would be nice if this page linked to resources discussing CSRF, and maybe some of the software that Logitech support has run into that cause problems. And linking to pages that others maintain (Wikipedia?) means less translation work/cost for Logitech. :-)

Comment 8 James Richardson 2009-10-05 14:26:17 UTC

This bug has been marked as fixed in the 7.4.0 release version of SqueezeBox Server!
    * SqueezeCenter: 28672
    * Squeezebox 2 and 3: 130
    * Transporter: 80
    * Receiver: 65
    * Boom: 50
    * Controller: 7790
    * Radio: 7790  

Please see the Release Notes for all the details: http://wiki.slimdevices.com/index.php/Release_Notes

If you haven't already, please download and install the new version from http://www.logitechsqueezebox.com/support/download-squeezebox-server.html

If you are still experiencing this problem, feel free to reopen the bug with your new comments and we'll have another look.