|Anonymous | Login | Signup for a new account||2020-01-21 06:54 PST|
|Main | My View | View Issues | Change Log | Roadmap | Summary | My Account|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0008417||opensim||[REGION] Script Functions||public||2018-12-08 11:19||2018-12-11 10:52|
|Platform||mono 126.96.36.199||OS||Debian GNU/Linux||OS Version||9|
|Target Version||Fixed in Version|
|Summary||0008417: llSetContentType doeasn't set Content-Type|
|Description||llSetContentType does nothing. It's always "text/plain". I also tested it on SandboxPlaza, also didn't work. I tried to test it on some other Sims, but most seem to have the RegionURL for LSL not set in the config files and make llRequestURL impossible in the first place.|
|Steps To Reproduce||1. Run attached script|
2. Click on Link that pops up (open in the built-in browser)
3. Browser writes the text with HTML tags and doesn't parse it to an HTML page
|Additional Information||Should be able to also work on external Browser if you set its Useragent to something that includes "SecondLife" and use it from the same IP as the Viewer (according to comments on line 2004 and 2000 in LSL_Api.cs).|
|Tags||No tags attached.|
|Git Revision or version number|
|Run Mode||Grid (1 Region per Sim)|
|Environment||Mono / Linux64|
|Attached Files|| content-type-test.lsl [^] (1,354 bytes) 2018-12-08 11:19|
0001-Remove-OpenID-cookie-check-agni_sl_session_id-from-S.patch [^] (4,504 bytes) 2018-12-08 12:43 [Show Content]
|osSetContentType (which skips the checks for useragent, same IP and owner in region) doesn't work either.|
it does several checks, some mb outdated
take a look to LSL_APi.cs for details
and the spec at http://wiki.secondlife.com/wiki/LlSetContentType [^]
ill try some testing when ive the time..
edited on: 2018-12-08 13:03
LSLHttp Module is checking an OpenID 'agni_sl_session_id' cookie and declines changes to the ContentType if there is none.
This is also affection osSetContentType, which has afaik the purpose of skipping all the checks.
Current Firestorm doesn't seem to set that cookie. Or maybe it's just set when the Region is on the same host as the Login Service that set that Cookie, like browsers usually behave?
It's all that OpenIDCookie related code here.
I would remove that check (attached patch), because SecondLife doesn't seem to check that cookie either, i can connect from external browser with the same IP and UserAgent set to "SecondLife" perfectly fine to the script, without having that cookie.
|ok ill look as soon as possible thx|
edited on: 2018-12-11 07:19
This code has to come back. It is what prevents users of a region to host phishing sites or warez/pr0n links. The ability to send arbitrary content and HTML to any browser but the viewer built-in one can and will lead to region owners or hosters having police at the door.
EDIT: The check for IP address should avert most of the danger.
edited on: 2018-12-11 07:38
According to the SL wiki, the requirements are:
1. the web browser is the Second Life client
2. the user (logged into the SL client viewing the page) is the owner of the object.
3. the user (logged into the SL client viewing the page) is connected to the region the object is located in
1. is done by Useragent check (not reliable, but its the same that SL does and this alone is already making sure that users can't host phishing websites)
2 and 3. is done by the IP check (also not reliable, but the same that SL does)
The additional check for the Cookie is not done by SL and the cookie is not provided by the current SLViewer, neither by Firestorm. It got provided in the past, when the Viewers used an older webkit implementation for the internal browser.
osSetContentType should only be used by those that understand the implications
I did restricted its use a bit more.
llSetContentType seems working now. Thanks.
note that you may need to set viewers to use internal browser for all.
they do not recognize our regions as "sl" urls and in that case may not send needed information
|2018-12-08 11:19||unregi||New Issue|
|2018-12-08 11:19||unregi||File Added: content-type-test.lsl|
|2018-12-08 11:27||unregi||Note Added: 0033580|
|2018-12-08 11:28||UbitUmarov||Note Added: 0033581|
|2018-12-08 12:43||unregi||File Added: 0001-Remove-OpenID-cookie-check-agni_sl_session_id-from-S.patch|
|2018-12-08 12:55||unregi||Note Added: 0033582|
|2018-12-08 12:56||UbitUmarov||Note Added: 0033583|
|2018-12-08 13:03||unregi||Note Edited: 0033582||View Revisions|
|2018-12-09 03:41||unregi||Status||new => patch included|
|2018-12-11 06:40||melanie||Note Added: 0033605|
|2018-12-11 07:19||melanie||Note Edited: 0033605||View Revisions|
|2018-12-11 07:37||unregi||Note Added: 0033606|
|2018-12-11 07:38||unregi||Note Edited: 0033606||View Revisions|
|2018-12-11 10:52||UbitUmarov||Note Added: 0033610|
|Copyright © 2000 - 2012 MantisBT Group|