If any page of the Wapp app is requested directly, for example by typing it into the browser, I can’t access GET variables because HTTP_REFERER isn’t set. It’s checked on line 704 in the wapp.tcl file and compared to BASE_URL.

I noticed that even in the examples in wapp-default, you have to use wapp-allow-xorigin-params. The name of this function is confusing in this case because I’m not actually disabling protection against CSRF attacks; I’m calling it because the referer isn’t set.

Simple example;

Let’s say I have a URL like http://site.test?filter=true&sort=asc&page=2. During development, I want to change parameters like filter=false, sort=desc, and page=1 directly in the browser to see how different visual states and data sorting display on the page. However, when I do this, there’s no referer set, and the application checks if the referer matches the BASE_URL. This causes the request to be blocked because the referer isn’t present.

I can’t create links on the previous page with all possible combinations of parameters I want to test every time, as that would be very inefficient and impractical for development.

Additionally, on the live site, I must not forget to remove the wapp-allow-xorigin-params function to ensure proper security.

wapptclsh.tcl:
wapp-start -dev

or CLI and shebang
wapptclsh -dev

Any idea how you bypass this, especially during development when URLs are often modified directly and thus without a referer?

V