Ross Myhre Posted December 4, 2022 Share Posted December 4, 2022 (edited) Hello everyone, I've been hunting around for some clarification regarding HTTP request headers. The LSL portal states, in reference to the use of custom headers "Note that certain headers, such as the default headers, are blocked for security reasons." I can't find a list of those "default headers" anywhere. Am I correct in assuming that any of the listed headers beginning with "x-" are blocked? I want to be sure there are is no way to mess with x-secondlife-object-key before I use it for validation purposes. Am I correct to think x-secondlife-object-key can't be overwritten using a custom header? When testing in-world, if I try to specify x-secondlife-object-key as a custom header I get an error: "HTTP_CUSTOM_HEADER value is an invalid header". This error isn't listed anywhere on the portal. I assume this means it's blocked. Thanks for any feedback! Edited December 4, 2022 by Ross Myhre Link to comment Share on other sites More sharing options...
Wulfie Reanimator Posted December 4, 2022 Share Posted December 4, 2022 (edited) The full description for HTTP_CUSTOM_HEADER being: Quote Add an extra custom HTTP header to the request. The first string is the name of the parameter to change, e.g. "Pragma", and the second string is the value, e.g. "no-cache". Up to 8 custom headers may be configured per request, and each header's combined name+value length must be no greater than 253 characters. Note that certain headers, such as the default headers, are blocked for security reasons. It seems reasonable that this is referring to the X-SecondLife-* headers. Especially because of things like this: Quote If the accessed site is relying on the LSL script to report L$ transactions, then it must check the X-SecondLife-Shard header to see if the script is running on the beta grid. If these headers (including owner name, object UUID, location, etc) could be set by the script, they'd be very easy to abuse. Edited December 4, 2022 by Wulfie Reanimator Link to comment Share on other sites More sharing options...
Ross Myhre Posted December 4, 2022 Author Share Posted December 4, 2022 (edited) 31 minutes ago, Wulfie Reanimator said: The full description for HTTP_CUSTOM_HEADER being: It seems reasonable that this is referring to the X-SecondLife-* headers. Especially because of things like this: If these headers (including owner name, object UUID, location, etc) could be set by the script, they'd be very easy to abuse. Thanks, Wulfie, Yeh it seems logical doesn't it. I just wanted to ask in case someone knew of it being exploited somehow from experience. It would be handy if the afforementioned blocked headers were listed somewhere, but the headers with x- suffix certainly include ones I would hope can't be tampered with, otherwise they're pretty useless. Edited December 4, 2022 by Ross Myhre Link to comment Share on other sites More sharing options...
Lindens Rider Linden Posted December 5, 2022 Lindens Share Posted December 5, 2022 A non-exhaustive list of blocked headers is kept here: https://wiki.secondlife.com/wiki/Template:LSL_Constants/HTTP_Headers (The list also appears below the parameter table on the wiki page for llHTTPRequest.) 1 1 1 Link to comment Share on other sites More sharing options...
Ross Myhre Posted December 7, 2022 Author Share Posted December 7, 2022 (edited) On 12/5/2022 at 5:20 PM, Rider Linden said: A non-exhaustive list of blocked headers is kept here: https://wiki.secondlife.com/wiki/Template:LSL_Constants/HTTP_Headers (The list also appears below the parameter table on the wiki page for llHTTPRequest.) Please read the post first. Some of the headers in that list can be set manually, others are blocked. The discussion is as to which. Edited December 7, 2022 by Ross Myhre Link to comment Share on other sites More sharing options...
Recommended Posts
Please take a moment to consider if this thread is worth bumping.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now