Keep getting "CSRF detected!"

[Ampersand]

Tweaking edit.php that I mentioned in a post above was good till the moment I wanted to update css file of the theme of one of my 2.03 installs. In this case theme-edit.php comes into action so it would require a similiar tweak as edit.php. Instead of tweaking it I decided to observe the beast in the wild and made minor changes to both theme-edit.php and nonce.php to compare the variables compared in nonce.php. These variables must have been different to cause CSRF alert.
So I changed line 44 of theme-edit.php to

Code:

print("inner nonce=".$nonce);    if(!check_nonce($nonce, "save"))

and line 41 of nonce.php to

Code:

print("<br/>outer hash=".get_nonce($action, $file)."<br/>");    return ( $nonce === get_nonce($action, $file) );

Then I proceeded to the test:
-started Firefox
-logged in
-edited css theme file and saved it
-received:

Code:

inner nonce=5beb6ceea80bc2d3eef440e4f14b0db2753ccda3
outer hash=462faccca9b2d0f835db060a8964219a43399eb8
CSRF detected!

I wanted to check why is the $nonce passed from theme-edit.php different than the produced within nonce.php, but beforehand... as you can see form previous post: Google Chrome worked fine.
So I checked the same steps with Chrome:
-logged out
-started Chrome
-logged in
-edited css theme file and saved it
-received:

Code:

inner nonce=973d74b22c7dc7b07de581e9be2a30011d110502
outer hash=973d74b22c7dc7b07de581e9be2a30011d110502

identical as mono-zygotic twins this time.

Definitely not a cross-browser solution...

Ok, now back to firefox: why were nonces-schmonzes different in FF? This time no sha1 in line 28 of nonce.php (don't replicate without parental guidance!):

Code:

$hash=$action.$file.$ip.$USR.$SALT;

Firefox:

Code:

inner nonce=save/admin/theme-edit.php188.146.124.177Redakcjav4pwwe37necqoo1z1b0^1durtz4dh-unx1bz
outer hash=save/admin/theme-edit.php178.180.225.246Redakcjav4pwwe37necqoo1z1b0^1durtz4dh-unx1bz

Chrome:

Code:

inner nonce=save/admin/theme-edit.php188.147.29.93Redakcjav4pwwe37necqoo1z1b0^1durtz4dh-unx1bz
outer hash=save/admin/theme-edit.php188.147.29.93Redakcjav4pwwe37necqoo1z1b0^1durtz4dh-unx1bz

wow, what a miraculous browser...
Will IPs remain identical in FF?

firefox:

Code:

inner nonce=save/admin/theme-edit.php188.147.29.93Redakcjav4pwwe37necqoo1z1b0^1durtz4dh-unx1bz
outer hash=save/admin/theme-edit.php188.147.29.93Redakcjav4pwwe37necqoo1z1b0^1durtz4dh-unx1bz

Yes, as I wrote previously - once or twice a single use of Chrome removed CSRF for some time in FF, so above you can see why.

But, will IPs remain identical in FF from now on? That's what happened after a couple of minutes:
firefox:

Code:

inner nonce=save/admin/theme-edit.php188.146.57.204Redakcjav4pwwe37necqoo1z1b0^1durtz4dh-unx1bz
outer hash=save/admin/theme-edit.php178.180.109.170Redakcjav4pwwe37necqoo1z1b0^1durtz4dh-unx1bz

Sad... I am sorry my provider does it to IP, but does he do it really? Or may be some browsers change HTTP headers? So now I use solution from SamWM's post: change line 25 of nonce.php (remember my example is from 2.03) to
$ip = $_SERVER['REMOTE_ADDR'];$ip=true;