Method not allowed with this referer on Fireforx

Hello,

Someone brought an issue with my website when browsing on Firefox, it looks like algolia requests are ending up in 403 error with message “Method not allowed with this referer”.

I properly filled my HTTP referrers on my search API key to be my domain & subdomains.

I wasn’t able to reproduce the error myself on Firefox, and that person also told me they didn’t have it with any other browser, just Firefox. They also tried in private browsing, the error is still there, which excludes the possibility of a plugin causing the issue…

I checked the monitoring tab of my dashboard and noticed I had a lot of similar 403 errors.

Most of them come from Firefox browsers, here are the user agents on which I had those 403 errors:

  • User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
  • User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
  • User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
  • User-Agent: Mozilla/5.0 (Android 11; Mobile; rv:85.0) Gecko/85.0 Firefox/85.0

A few ones from other browsers :

  • User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
  • User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.68

And the following which I assume are just bots:

  • User-Agent: Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)
  • User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)

Is there anything I can do on my end to fix this? Or is it an issue between Algolia/specific browser?

Hi!

They also tried in private browsing, the error is still there, which excludes the possibility of a plugin causing the issue…

It’s in fact possible to have browser extensions allowed to run in private mode; could you please check if it’s the case that there’s one or more FF extensions with such permission?

Could you also please check if your website specifies whether or not referer should be sent with api calls ? According to Referrer-Policy - HTTP | MDN it’s possible to specify it in an HTTP header of the request to your webpage, or in an HTML tag <meta name="referer" [...]>

Thanks!

After forwarding your message to the person who had the issue, they remembered they had tweaked Firefox settings and changed Network.http.sendRefererHeader to false for privacy reasons.

So my issue is solved, all other errors I see in my logs have probably done the same or something similar, anyway I won’t be sure unless they contact me.

Thanks for your help!