Skip to content

Sending a POST to the /save/git/url API may return a 403

When using the public API to send a save code now request, one may encounter a Forbidden response is the Referer header is not present.

curl -D-  -X POST  'https://archive.softwareheritage.org/save/git/url/https://git.joeyh.name/git/ikiwiki.git//' -H 'Accept: application/json' --data ''
HTTP/1.1 403 Forbidden
Date: Fri, 15 Nov 2019 12:34:48 GMT
Server: gunicorn/19.9.0
Content-Type: application/json
Vary: Accept
Allow: OPTIONS, POST
X-Frame-Options: SAMEORIGIN
Content-Length: 63
Via: 1.1 archive.softwareheritage.org
X-Varnish: 6599915
Age: 0
Via: 1.1 varnish (Varnish/6.1)
Strict-Transport-Security: max-age=15768000;
Connection: keep-alive

{"detail":"CSRF Failed: Referer checking failed - no Referer."}

In a web browser, the response is displayed as

The "save code now" request has been rejected because the provided origin url is blacklisted.

which is wrong:

Screenshot_2019-11-15_Request_the_saving_of_a_software_origin_into_the_archive___Software_Heritage_archive

To reproduce with Firefox, set the network.http.sendRefererHeader config to 1 then submit a save code now request via https://archive.softwareheritage.org/save/

Migrated from T2093 (view on Phabricator)