Can not re-install Kirby after forgot password - invalid CSRF token

I forgot my password for my live installation. I searched the forums and found out, that you need to remove the user folders at site/accounts. So I removed the folder, but after jumping to panel/installation I could not execute the new registration due to the error Invalid CSRF token!. I cleared the cache (in the browser and in the site), cleared the sessions, but nothing seemed to work.

Finally I stumbled upon an error in the chrome console. I had set the security policy to Header set Content-Security-Policy "default-src 'self';"- this broke the installation. I had to deactivate this setting to bring installation back to life.

After spending much more time with this issue (and with a severe caching issue in various browsers), I got it to work with the following settings:

Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'"

However, this is not considered safe in more strict environments (s. CSP on MDN ff.). If you restrict your CSP more than the above before once installing the system you may not be able to log in to the panel anymore.

We have an issue on GitHub. It’s scheduled for 3.2.0 if we don’t run into any unexpected issues.

I have added a note about this thread to the issue. :slight_smile:

1 Like

The issue should be fixed now.