How can WebAssebly send a HTTP POST request with Referer header?

Balazs Beregnyei

My Qt app is working with a Django Rest API backend with CSRF enabled. Besides having CSRF cookies in the CookieJar, I have to add 2 raw headers while sending POST requests: X-CSRFToken and Referer. Both Mac and Windows target apps work just fine. But the WebAssembly target can only send GET, but cannot send POST, because Qt filters out the Referer header with this message in the browser console: Qt has trimmed the following forbidden headers from the request: Referer. I know it is not a Qt limitation, but the Javascript sandbox limitation. When I hack the wasm binary to force Qt not to filter Referer out, I got some similar error from the browser itself. I don't really understand the security reasons behind, but it would be quite weird if WebAssembly wouldn't be able to communicate with a CSRF enabled backend. How can I make it work? Now I have a quite unuseful WebAssembly target which can only read the database but unable to write it... As far as I know, it is not possible to have CSRF enabled in Django with disabled Referer. Any suggestions are welcome. Thanks!