CSRF Failures

[andrewmoise]

As of a few days ago, I've started getting CSRF failures periodically on a lot of common actions. For example:

• Reload https://mbin.grits.dev/m/greentext@sh.itjust.works/t/17005/Anon-uses-reddit

• Click to upvote a comment

• This request sends:

POST /ecf/83304?choice=1 HTTP/2
Host: mbin.grits.dev
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 126
Referer: https://mbin.grits.dev/m/greentext@sh.itjust.works/t/17005/Anon-uses-reddit
Origin: https://mbin.grits.dev
DNT: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Connection: keep-alive
Cookie: kbin_theme=tokyo-night; kbin_entries_compact=false; PHPSESSID=p0pi4rvnco37kg7kdh9jgt2bm1; REMEMBERME=App.Entity.User%3AbW96eg~~%3A1706450200%3A_TA9K7vTRKa0rEND-bgbBgoVIhFXh43bx8Am-IzJZrNf%3A9NJHErZ0m9yiMz8oz_idMiktdS_yReUZaBquC-xQECpH; entry_comments_view=tree; kbin_general_fixed_navbar=true; kbin_subscriptions_large_panel=true; kbin_posts_show_preview=true
TE: trailers

• Get this back:

HTTP/2 400 Bad Request
server: nginx/1.22.1
content-type: text/html; charset=UTF-8
vary: Accept
cache-control: max-age=0, must-revalidate, private
date: Tue, 23 Jan 2024 13:23:18 GMT
expires: Tue, 23 Jan 2024 13:23:18 GMT
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: same-origin
x-download-options: noopen
x-permitted-cross-domain-policies: none
strict-transport-security: max-age=31536000; includeSubDomains; preload
X-Firefox-Spdy: h2

• Something like this is in the log:

{"message":"Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\BadRequestHttpException: \"Invalid CSRF token\" at AbstractController.php line 41","context":{"exception":{"class":"Symfony\Componen t\HttpKernel\Exception\BadRequestHttpException","message":"Invalid CSRF token","code":0,"file":"/var/www/mbin/src/Controller/AbstractController.php:41"}},"level":400,"level_name":"ERROR","channel":"request"," datetime":"2024-01-23T13:23:18.772950+00:00","extra":{}}

There doesn't seem to be any consistent pattern; often reloading the page and trying the action again immediately after makes it work, but sometimes it doesn't.

[e-five256]

It might be an extension, possibly; something worth checking at least. I vaguely recall a post by someone saying similar and it turned out they had an extension that modified hidden input fields on pages, but I can't completely remember where I saw that

[andrewmoise]

Hm; I'm using Librewolf with no extensions aside from the built-in uBlock Origin. And it's not consistent; it'll happen sometimes not for a long time but then today I saw it happen a majority of the times I tried it from a page I had literally just loaded before trying to use controls on the page.

I can dig into it if I see it keep happening and an answer hasn't emerged in a little while.

[e-five256]

That's interesting; there is one thing where all, or at least the ones I saw, javascript we load are defer and thus wait for the dom to load. This can have weird effects where if you do something that would normally be ajax, such as upvoting or boosting or moderating an entry, it will instead either reload the page or load a different page (this is usually because the elements are links to the action, but once javascript loads it prevents the default behavior and just sends ajax requests). This might all be unrelated though as I'm not sure if csrf has any javascript requirement

[andrewmoise]

Oooh... hm, I'm fairly sure that all of the times I saw this, it was on a flaky wireless network. So it'd be easily possible that loading the whole page was blocked while the network was trying to finish its transfers, and so there was a long interval when I could hit an upvote button and trigger an unusual path.

I just tried it with some artificial throttling and hitting controls before the page was fully loaded, and I couldn't get it to happen. IDK. I'll try to dig into it more if and when I see it recurring, I guess.