NEW BUG - Firefox: Security Warning: A link from an external source has been detected and automatically disabled.

Lately I have been getting the error "Security Warning: A link from an external source has been detected and automatically disabled." even from within CMSB on many of my sites.

I am using Firefox 76.0.1 and this started with the update to 76.0.0 and it appears to be a change to how the referrer information is passed by Firefox.

php.net says this:

'HTTP_REFERER' The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

The only work around was to disable the check by manually editing the settings.dat file.

Using phpinfo() from CMSB, the following values are showing:

// domain name modified
$_SERVER['HTTP_HOST']	example.com
$_SERVER['HTTP_REFERER']	https://example.com/
...
$_SERVER['SCRIPT_URL']	/cmsb/admin.php
$_SERVER['SCRIPT_URI']	https://example.com/cmsb/admin.php

As you can see the HTTP_REFERER does not include the full URL only the domain. This breaks the security check in security_disableExternalReferers().

Chrome is not affected by this bug.