Open andrewmoise opened 5 months ago
It might be an extension, possibly; something worth checking at least. I vaguely recall a post by someone saying similar and it turned out they had an extension that modified hidden input fields on pages, but I can't completely remember where I saw that
Hm; I'm using Librewolf with no extensions aside from the built-in uBlock Origin. And it's not consistent; it'll happen sometimes not for a long time but then today I saw it happen a majority of the times I tried it from a page I had literally just loaded before trying to use controls on the page.
I can dig into it if I see it keep happening and an answer hasn't emerged in a little while.
That's interesting; there is one thing where all, or at least the ones I saw, javascript we load are defer
and thus wait for the dom to load. This can have weird effects where if you do something that would normally be ajax, such as upvoting or boosting or moderating an entry, it will instead either reload the page or load a different page (this is usually because the elements are links to the action, but once javascript loads it prevents the default behavior and just sends ajax requests). This might all be unrelated though as I'm not sure if csrf has any javascript requirement
Oooh... hm, I'm fairly sure that all of the times I saw this, it was on a flaky wireless network. So it'd be easily possible that loading the whole page was blocked while the network was trying to finish its transfers, and so there was a long interval when I could hit an upvote button and trigger an unusual path.
I just tried it with some artificial throttling and hitting controls before the page was fully loaded, and I couldn't get it to happen. IDK. I'll try to dig into it more if and when I see it recurring, I guess.
As of a few days ago, I've started getting CSRF failures periodically on a lot of common actions. For example:
Reload https://mbin.grits.dev/m/greentext@sh.itjust.works/t/17005/Anon-uses-reddit
Click to upvote a comment
This request sends:
{"message":"Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\BadRequestHttpException: \"Invalid CSRF token\" at AbstractController.php line 41","context":{"exception":{"class":"Symfony\Componen t\HttpKernel\Exception\BadRequestHttpException","message":"Invalid CSRF token","code":0,"file":"/var/www/mbin/src/Controller/AbstractController.php:41"}},"level":400,"level_name":"ERROR","channel":"request"," datetime":"2024-01-23T13:23:18.772950+00:00","extra":{}}
There doesn't seem to be any consistent pattern; often reloading the page and trying the action again immediately after makes it work, but sometimes it doesn't.