My browser / operating system: Windows NT 10.0, Chrome 80.0.3987.132, No Flash version detected

A hidden 403 page? Ridiculous! But it exists.


There are 2 currently known ways to access it.
1. The mobile forums method - Try to sign in through the mobile forums. It's literally that easy.
2. The submit method - While writing/edit a post/topic, sign out and back in on a different tab. Then press submit.

I noticed that

It might be because the 403 page it's displaying is from a different domain, since while scratch.mit.edu's 403 domain is the oh noes cat thing, not all domains in *.scratch.mit.edu might have that 403 page appear if you trigger that. This could also be a specific 403 page for the forums or in the circumstance where a request to a server is sent that would only be possible if logged in. I don't really know much about this atm, so it might be something to look into though I doubt this affects a lot of people

CatsUnited wrote:

It might be because the 403 page it's displaying is from a different domain, since while scratch.mit.edu's 403 domain is the oh noes cat thing, not all domains in *.scratch.mit.edu might have that 403 page appear if you trigger that.

The url shows it's just a normal scratch.mit.edu url (https://scratch.mit.edu/discuss/topic/388959/?#reply). You won't get the glitch from entering the url, by the way.

CatsUnited wrote:

This could also be a specific 403 page for the forums or in the circumstance where a request to a server is sent that would only be possible if logged in.

Makes sense, but as in the post, I did log in. In fact, if you don't log in when doing the glitch, you get the normal chrome 403. Maybe what's happening is it loaded the 403 page when you log out, but since you logged back in, chrome said error 200.

This once happened to me this week but it usually doesn't happen. It happened to me when I was writing a forum post. I wonder why that is?

-GentooPenguin- wrote:

This once happened to me this week but it usually doesn't happen. It happened to me when I was writing a forum post. I wonder why that is?

Did you log out on another tab?

This always happens if you try to sign in through the discussion forums, try going here to see what I mean.

--Explosion-- wrote:

This always happens if you try to sign in through the discussion forums, try going here to see what I mean.

It didn't work when I clicked on the link. In fact, I signed in just fine. But when I went back to try the glitch without clicking your link, it worked.

Just found another way to do it, but it's a little more technical.

1. Go to account settings.
   
2. Right click on the word “Username”.
   
3. Click “Inspect”.
   
4. 2 rows above should be an input tag. Delete that input tag.
   
5. Press “Save Changes”.
   

Apparently, there's this type of hacking called CSRF. That input tag is to verify that you aren't CSRFing the site. I know that because its name is literally “csrfmiddlewaretoken”. When the input tag is gone, it fails to verify, and cue the hidden forbidden.

So why does this trigger on the mobile forums or logging in ands out in the forums? I don't know about the former, but for the latter, I think I know. I think that the token is bound to your session, and it's different every time. Since the token is different from while you were logged in in the forums, it fails to verify, cue the hidden forbidden.

In fact, most buttons work with the logout login trick. More specifically, those whose type is “submit”. This further proves my theory above. Want even more proof? Right click on “Message”, and press Inspect. With a little more looking, bam. There's the “csrfmiddlewaretokken”.

the same thing with https://scratch.mit.edu/messages/test

Burgher1679 wrote:

the same thing with https://scratch.mit.edu/messages/test

That's a different one.

Now we have 4 403 pages.
The google chrome one, this built in one that's never used, the CSRF one, and now that one. I don't know what to call that one.

Wait what? this is the error page for Django?!? oh.. i guess the forums are built with django… so only the forums.

No, it also happens with account settings. It's a CSRF 403.

ZZC12345 wrote:

Wait what? this is the error page for Django?!? oh.. i guess the forums are built with django… so only the forums.

Wait nvmd, after reading up about it, i think scratch itself is built with django, a python frameword. The generic error page for django's CSRF (cross site request forgery) protection is the one you sent a picture of. It happens when django can't authenticate you properly, which could happen when cookies are cleared (the cookies are where the csrf token is stored).