Bad CSRF warning

January 15, 2022

On January 8, I noticed a problem when I tried to unsubscribe from a thread. Clicking on the active phrase “click here” to unsubscribe opens a new window where I click the “Unsubscribe“ button, which opens a new window which says “BAD CSRF,” instead of “Email preferences updated!”

The above happened probably at least half a dozen times before I looked at Wikipedia to see that CSRF stands for cross-site request forgery, and the information was disconcerting. Initially I thought the problem had resolved itself, but it has not. I don’t know if the problem is with my computer or with the COPA website, but I would like to see a resolution, of course. Thanks.

Best regards,

Steve Miller


That is almost always a server issue. CRSF checks are put in place to prevent forgery and other nefarious actions from occurring. Such a warning is actually a good thing showing that the server has implemented CRSF protocols.

Tagging @ErikGun so it gets visibility.



Can you try clicking on the “view topic” button and then change the tracking to something other than watching?

I will send you a email directly, asking you to forward the email to me so I can inspect and send to Discourse support.

January 15. 2022

Erik, yes, I could do what you recommended and change the topic control from watching to muted. That would seem to be a work-around maneuver but likely reasonable to try. After lunch I started going through more COPA emails, and now, of course, I’m not getting any “Bad CSRF” warnings. The Unsubscribe button seems to be working. This problem has indeed been intermittent over the last week. Thanks for your attention.

I just tested this out myself on another site. After clicking the “Unsubscribe” button for a topic, I’m redirected to a page that looks like:

That’s definitely not expected. I’ll let our engineers know about the issue. We’ll get back to you about this soon.

We think we’ve tracked down this issue to a bug in the latest version of Google Chrome (97). This was released on January 4th, and has been slowly rolling out to users since then.

Google should begin rolling out a fix for the bug in the next few days, but in the meantime we’ve applied a workaround which should resolve the problem.

Please do let us know if anyone continues to run into issues.


This topic was automatically closed after 16 days. New replies are no longer allowed.