csrf_failure: Update error page.

Switches from Django's default error page to Zulip standard error
template.  Also updates template for 405 error code to not use the 404
art.

Fixes #25626.

templates/404.html

@@ -13,11 +13,7 @@
             <img src="{{ static('images/errors/400art.svg') }}" alt=""/>
             <div class="errorbox">
                 <div class="errorcontent">
-                    {% if status_code == 405 %}
-                    <h1 class="lead">{{ _("Method not allowed (405)") }}</h1>
-                    {% else %}
                     <h1 class="lead">{{ _("Page not found (404)") }}</h1>
-                    {% endif %}
                     <p>
                         {% trans %}
                         If this error is unexpected, you can

templates/4xx.html

@@ -0,0 +1,53 @@
+{% extends "zerver/portico.html" %}
+
+{% block title %}
+<title>{{ _("Error") }} | Zulip</title>
+{% endblock %}
+
+{% block portico_class_name %}error{% endblock %}
+
+{% block portico_content %}
+<div class="error_page">
+    <div class="container">
+        <div class="row-fluid">
+            <div class="errorbox">
+                <div class="errorcontent">
+                    {% if csrf_failure %}
+                    <h1 class="lead">{{ _("Access forbidden (403)") }}</h1>
+                    <p>
+                        {% trans %}
+                        Your request could not be completed because your
+                        browser did not send the credentials required to authenticate
+                        your access. To resolve this issue:
+                        {% endtrans %}
+                    </p>
+
+                    <ol>
+                        <li>
+                            {% trans %}
+                            Make sure that your browser allows cookies for this site.
+                            {% endtrans %}
+                        </li>
+                        <li>
+                            {% trans %}
+                            Check for any browser privacy settings or extensions
+                            that block Referer headers, and disable them for
+                            this site.
+                            {% endtrans %}
+                        </li>
+                    </ol>
+                    {% elif status_code == 405 %}
+                    <h1 class="lead">{{ _("Method not allowed (405)") }}</h1>
+                    <p>
+                        {% trans %}
+                        If this error is unexpected, you can
+                        <a href="mailto:{{ support_email }}">contact support</a>.
+                        {% endtrans %}
+                    </p>
+                    {% endif %}
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+{% endblock %}

zerver/decorator.py

@@ -123,7 +123,7 @@ def require_post(
                 return json_method_not_allowed(["POST"])
             else:
                 return TemplateResponse(
-                    request, "404.html", context={"status_code": 405}, status=405
+                    request, "4xx.html", context={"status_code": 405}, status=405
                 )
         return func(request, *args, **kwargs)
 

zerver/middleware.py

@@ -19,7 +19,6 @@ from django.utils.crypto import constant_time_compare
 from django.utils.deprecation import MiddlewareMixin
 from django.utils.log import log_response
 from django.utils.translation import gettext as _
-from django.views.csrf import csrf_failure as html_csrf_failure
 from django_scim.middleware import SCIMAuthCheckMiddleware
 from django_scim.settings import scim_settings
 from sentry_sdk import set_tag
@@ -454,7 +453,7 @@ def csrf_failure(request: HttpRequest, reason: str = "") -> HttpResponse:
     if RequestNotes.get_notes(request).error_format == "JSON":
         return json_response_from_error(CsrfFailureError(reason))
     else:
-        return html_csrf_failure(request, reason)
+        return render(request, "4xx.html", context={"csrf_failure": True}, status=403)
 
 
 class LocaleMiddleware(DjangoLocaleMiddleware):