Oz Linden

Don't check HTTP-in URL domains

Don't check HTTP-in URL domains

This is a heads-up for anyone who is using llRequestURL or llRequestSecureURL... It has come to our attention that some users may be validating that the returned URLs are in the domain they expect, presumably by matching them against something like 'sim.*\.agni\.lindenlab\.com'. These checks may have been inspired by simulator bugs that at one time or another have caused URLs to be returned that didn't work because some part of the domain name was missing. You should not attempt to val
This thread exists specifically to alert you to the fact that measures like those will no longer work (indeed, they will cause your service to fail) and give you a chance to replace those checks with something more secure. For example, if you have an HTTP GET operation to an external server, you can create your own authentication signature with something like: # The SharedSecret value is known by the server as well string SharedSecret = "a975c295ddeab5b1a5323df92f61c4cc9fc88
    • Like
    1