Jump to content

Default Headers

Ross Myhre

By Ross Myhre,
in LSL Scripting

 Share
You are about to reply to a thread that has been inactive for 572 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Ross Myhre

Ross Myhre

Posted
Posted (edited)

Hello everyone,

I've been hunting around for some clarification regarding HTTP request headers.

The LSL portal states, in reference to the use of custom headers "Note that certain headers, such as the default headers, are blocked for security reasons."

I can't find a list of those "default headers" anywhere. Am I correct in assuming that any of the listed headers beginning with "x-" are blocked?

I want to be sure there are is no way to mess with x-secondlife-object-key before I use it for validation purposes.

Am I correct to think x-secondlife-object-key can't be overwritten using a custom header?

When testing in-world, if I try to specify x-secondlife-object-key as a custom header I get an error: "HTTP_CUSTOM_HEADER value is an invalid header". This error isn't listed anywhere on the portal. I assume this means it's blocked.

Thanks for any feedback!

Edited by Ross Myhre
Link to comment
Share on other sites
Wulfie Reanimator

Wulfie Reanimator

Posted
Posted (edited)

The full description for HTTP_CUSTOM_HEADER being:

Quote

Add an extra custom HTTP header to the request. The first string is the name of the parameter to change, e.g. "Pragma", and the second string is the value, e.g. "no-cache". Up to 8 custom headers may be configured per request, and each header's combined name+value length must be no greater than 253 characters. Note that certain headers, such as the default headers, are blocked for security reasons.

It seems reasonable that this is referring to the X-SecondLife-* headers. Especially because of things like this:

Quote

If the accessed site is relying on the LSL script to report L$ transactions, then it must check the X-SecondLife-Shard header to see if the script is running on the beta grid.

If these headers (including owner name, object UUID, location, etc) could be set by the script, they'd be very easy to abuse.

Edited by Wulfie Reanimator
Link to comment
Share on other sites
Ross Myhre

Ross Myhre

Posted
  • Author
Posted (edited)
31 minutes ago, Wulfie Reanimator said:

The full description for HTTP_CUSTOM_HEADER being:

It seems reasonable that this is referring to the X-SecondLife-* headers. Especially because of things like this:

If these headers (including owner name, object UUID, location, etc) could be set by the script, they'd be very easy to abuse.

Thanks, Wulfie,

Yeh it seems logical doesn't it. I just wanted to ask in case someone knew of it being exploited somehow from experience. It would be handy if the afforementioned blocked headers were listed somewhere, but the headers with x- suffix certainly include ones I would hope can't be tampered with, otherwise they're pretty useless.

Edited by Ross Myhre
Link to comment
Share on other sites
Ross Myhre

Ross Myhre

Posted
  • Author
Posted (edited)
On 12/5/2022 at 5:20 PM, Rider Linden said:

A non-exhaustive list of blocked headers is kept here:

https://wiki.secondlife.com/wiki/Template:LSL_Constants/HTTP_Headers

(The list also appears below the parameter table on the wiki page for llHTTPRequest.)

Please read the post first.

Some of the headers in that list can be set manually, others are blocked. The discussion is as to which.

Edited by Ross Myhre
Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 572 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...