NEW BUG - Firefox: Security Warning: A link from an external source has been detected and automatically disabled.
2 posts by 2 authors in: Forums > CMS Builder
Last Post: May 25, 2020 (RSS)
By kitsguru - May 22, 2020
Lately I have been getting the error "Security Warning: A link from an external source has been detected and automatically disabled." even from within CMSB on many of my sites.
I am using Firefox 76.0.1 and this started with the update to 76.0.0 and it appears to be a change to how the referrer information is passed by Firefox.
php.net says this:
'HTTP_REFERER' The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
The only work around was to disable the check by manually editing the settings.dat file.
Using phpinfo() from CMSB, the following values are showing:
// domain name modified
$_SERVER['HTTP_HOST'] example.com
$_SERVER['HTTP_REFERER'] https://example.com/
...
$_SERVER['SCRIPT_URL'] /cmsb/admin.php
$_SERVER['SCRIPT_URI'] https://example.com/cmsb/admin.php
As you can see the HTTP_REFERER does not include the full URL only the domain. This breaks the security check in security_disableExternalReferers().
Chrome is not affected by this bug.
By daniel - May 25, 2020
Hi Jeff,
I've done some testing and haven't been able to find any discrepancies between how Chrome and Firefox 76.0.1 are reporting HTTP_REFERER. Note that HTTP_REFERER contains the referring page, so it shouldn't be expected to match SCRIPT_URI. Additionally, security_disableExternalReferers() only checks that HTTP_REFERER starts the reported server/hostname so it shouldn't matter if it contains the full URL or not.
I suspect that there is either something in your server config or URL scheme that isn't being properly accounted for in CMSB's referer check. One recent addition slated for the next version fixes a few cases when detecting HTTPS: https://www.interactivetools.com/forum/forum-posts.php?postNum=2244601#post2244601 - can you try out this fix? If that doesn't help, feel free to send us a 2nd level support request (https://www.interactivetools.com/support/request/) and we can take a closer look at your specific case.
Thanks!
Technical Lead
interactivetools.com