This is an issue (Not a blocking bug) which happens while trying to login to forums.
TLDR
Please remove referer check from your forum login page.
Long description
Forum login relies on browser REFERER header to figure out if user is using the login form on website or a 3rd party login page.
This has been obsolete even before GW2 forums launched. I would love someone from dev team to look at it and remove it or if it is absolutely necessary, replace it with a Time/IP constraint encrypted security token included in login form.
1- REFERER header can be manipulated by lots of browser extensions (there are about 358 of them for Firefox). Some of these extensions, even allow users to send site specific referer. This makes using referer as security feature, pointless. A normal user would never know and never care, and a little advanced user can easily undermine it.
2- For my security reasons (avoiding trackers, cross domain hidden frames, etc) I always disable referer for cross-domain websites. meaning if for example yahoo.com tries to send a referer header to facebook.com, it won’t be able to. Non-referer taking urls are easier to block with different extension.
3- It happens that login page for forun-en.Guildwars2.com is on account.guildwars2.com which for referer removal plugin, it is considered cross domain and they will remove the referer header and you’ll see an strange error message on page (see attachment)! If you are not paying attention, you might end up spending hours of your time and support team to figure out what went wrong.
4- If security for server is a reason, referer easily can be replaced with an encrypted security token that is included in login form (a hidden input), which is valid for 60 second (or 5 minutes) and for that specific IP address. This allows user enough window to login and saving page or automated login software will still need to access login form to be able to login. Also this combined with cookies, gives website a lot more security than referer. Although I still think having this token to avoid automated login is totally pointless unless you have captcha on your page (same reasoning is valid for referer header).
5- This is only an inconvenience to users who installed referer removal extension to avoid tracking. every time they want to login to GW2 forums, they have to disable the extension (even by pressing a single button) and then activate it after login (if they remember to do so). This also makes me avoid forums as much as possible because I have to change my usual configuration for one specific website.
