Hello there,

on my working Debian Jessie RT I'm using the JSGantt Plugin which also
workes fine except causing a Possible cross-site request forgery on
automatic reload.

Generally, CSRF occuring were eliminated at the beginning of the
installation several months ago by setting

# Webdomain override
Set($WebDomain, '');
Set($WebPort, 443);
Set($WebPath , "/rt");
Set($WebBaseURL , "";);

and today I added

# Cross-site forgery verhindern
Set(@ReferrerWhitelist, qw(;

When you call Gantt Chart, everything is fine. Now I have set

#Refresh global
Set($HomePageRefreshInterval, "900");.
Set($SearchResultsRefreshInterval, "60");

so the Gantt Chart is reloaded automatically. And by the first reload
ist causes the CSRF. Then, when you resume the request manually, all
following automatically reloads work without problems.

The error message complains about a missing referrer:

Possible cross-site request forgery

RT has detected a possible cross-site request forgery for this
request, because your browser did not supply a Referrer header. A
malicious attacker may be trying to modify or access a search on your
behalf. If you did not initiate this request, then you should alert
your security team.

If you really intended to visit /rt/Search/JSGantt.html and modify or
access a search, then click here to resume your request.

After you called Gantt Chart, the URL is


and after you resumed the reload request, the URL is


I helped myself by disabling Set($SearchResultsRefreshInterval, "60"); since noone uses it, but maybe anyway anyone has an advice?

Kind regards, Patrick
RT 4.4 and RTIR training sessions, and a new workshop day! 
* Los Angeles - January 9-11 2017

Reply via email to