Issue with VSP

Affiliation
Royal Astronomical Society of New Zealand, Variable Star Section (RASNZ-VSS)
Thu, 08/06/2015 - 08:10

Hi Will
I was using the new VSP fine. But this morning when I went to downoad a chart, I got the message shown below. I haven't changed anything on my Mac. I haven't turned off cookies and I even checked to see it's still turned on. The funny thing is that it was working and now it's not.
Does anyone else have this problem?
Thanks
Stephen [HSP]
 

Forbidden (403)

CSRF verification failed. Request aborted.

You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.

If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for 'same-origin' requests.

Affiliation
Royal Astronomical Society of New Zealand, Variable Star Section (RASNZ-VSS)
It works with Chrome but not

It works with Chrome but not with Safari (my regular browser) nor with Firefox.
Stephen [HSP]

Affiliation
American Association of Variable Star Observers (AAVSO)
same behavior on Windows

Hi,

I can also reproduce this on Windows: with Firefox 39.0 I get the 403 code, also with IE 10.

With Chrome (Version 44.0.2403.125 m) everything works fine. Same for Opera.

Something to be noted: the web APIs don't seem to be affected by this (tested them on IE10, Chrome and Opera); this one seems to be related strictly to the VSP form and some browsers.

Regards,

Alex.

 

Affiliation
American Association of Variable Star Observers (AAVSO)
Me too. The phrase "if it

Me too. The phrase "if it ain't broke, don't fix it" springs to mind!

Affiliation
American Association of Variable Star Observers (AAVSO)
This is a difficult one; this

This is a difficult one; this issue isn't affecting everybody and I'm not sure what exactly is causing some people to see it.

Try clearing your browser cache (instructions here: http://www.refreshyourcache.com/) and let me know if that fixes it for you. 

Affiliation
Royal Astronomical Society of New Zealand, Variable Star Section (RASNZ-VSS)
Cache

Thanks, Will. I have cleared the cache in both Safari and Firefox and still I get the above error message.

Is there anyone out there who can download maps in Safari or Firefox on a Mac?
Chrome and Opera both work.
Thanks
Stephen [HSP]

Affiliation
American Association of Variable Star Observers (AAVSO)
Figured it out - http vs. https

Hi,

I think I figured it out: each time I got this error, it was due to accessing VSP as http://aavso.org.vsp

When accessing the form from https://aavso.org/vsp, everything went fine.

 

The cause is that the VSP form targets https://www.aavso.org/apps/vsp/chart/?fov=.... ....type=chart, and on some browsers, changing either the protocol (http vs. https) or the host part of the URL will be flagged as a cross site forgery attack. Other browsers will flag a potential attack onlyif the host or port part of the URL changes. In our particular case, Firefox and Safary interpreted that a form accessed via http should not target a page using https.

 

Bottom line, when everything in the site will use the same protocol (https I think), then everything will work just fine. Until then, I think it's safe to just update our bookmarks to use https.

Alex.

 

--- edited ---

Corrected typo (aavso.org/vsp, not aavso.org.vsp - thanks Stephen)

Affiliation
Royal Astronomical Society of New Zealand, Variable Star Section (RASNZ-VSS)
VSP in general

Thank you, Herr_Allen.
It now works.
One small typo, I believe -- https://aavso.org/vsp rather than https://aavso.org.vsp
Now I am happy as I use VSP a lot.
Kindest regards
Stephen [HSP]

Affiliation
Svensk Amator Astronomisk Forening, variabelsektionen (Sweden) (SAAF)
Alexandru's idea also works

Alexandru's idea also works for me. https:// is OK, http:// is not OK using Firefox 38.0.5 on Mac OS X 10.10.3

Cheers,

/Gustav

Affiliation
American Association of Variable Star Observers (AAVSO)
Thanks for getting to the

Thanks for getting to the bottom of this, Alex! Fortunately we'll be moving to only using https: urls in the near future; at that point all http: urls will redirect to https so people won't run into this problem anymore.