XSRF tokens do not generate while banned when submitting a support request

Reproduction Steps
Browser A: Vivaldi 5.0.2497.35 (Stable channel) (64-bit)
Browser B: Firefox 96.0 (64-bit)
OS: Windows 11 Version 21H2 (Build 22000.376)

  1. Get moderated (i.e banned) and remain logged into that account
  2. Wait until your X-XSRF-TOKEN expires
  3. Attempt to complete and submit, completing captcha successfully

Expected Behavior
I expect the X-XSRF-TOKEN to correctly generate and submit my support request

Actual Behavior
User gets stuck in a captcha loop because they cannot generate the XSRF token required to submit due to being moderated.

Submit again while logged out

Issue Area: Roblox Website
Page URL: Support - Roblox
Impact: Moderate
Frequency: Very Rarely
Date First Experienced: 2022-01-11 22:01:00 (+00:00)


I am having trouble reproducing this issue. Which URL are you seeing return the 403 status code, that is resulting in the captcha loop?


This was on the support form page. Just to make sure, are you testing on a moderated account?

I don’t believe the CSRF token is the issue here. Moderated accounts just simply get 403s on many endpoints intentionally, excluding a few like usermoderation (for getting their current moderation status/ban reason/etc).
By the way, the actual header name is X-CSRF-Token, and it usually doesn’t cause a captcha when it’s invalid - it usually comes before the captcha.

I think the actual “bug” here is that support requests are included in the pool of requests that are blocked when your account is moderated. Maybe you could rephrase this as “cannot submit support requests on a moderated account”

For whatever reason, it’s fine when I appealed immediately but a capcha loop the day after. The only thing that gave any clue was that the crsf printed an object as shown in the original post.

You can’t edit a bug report title after the fact so idk

The X-CSRF-Token usually expires within minutes and not days, so I’m not totally sure why that happened.

Where is it printing an object? I don’t know what you mean by that.

In the (web) developer console.

I’m not quite sure what happened, I cannot replicate this bug (not banned) again.
It seems like the sort of thing that might have been missed and may deeply annoy end users.

Could you explain what the screenshot in your post is? I assumed that this was your own request you had sent.

1 Like

Yes, I tested while logged in to a permanently banned account. I was able to fill out the captcha and submit the report form and got an email confirmation.