|Anonymous | Login | Signup for a new account||2021-04-16 22:31 PDT|
|Main | My View | View Issues | Change Log | Roadmap | Summary | My Account|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0008881||opensim||[REGION] Script Functions||public||2021-03-15 03:29||2021-03-16 14:41|
|Platform||Operating System||Operating System Version|
|Target Version||Fixed in Version|
|Summary||0008881: llHttpRequest custom header for Authorization gives script error|
|Description||I am making a request to an API using LSL, this requires me to use the Authorization header to supply the API token. The script does give me a valid response, and it does use the Authorization header, but It also gives me the following scripting error which seems related to this custom header|
"llHTTPRequest: Name is invalid as a custom header at parameter 5"
We have also tried to run this function in SL, it does work over there without an error.
|Steps To Reproduce||I cannot give you the API for security reasons but, make a simple request and use the custom header:|
1. Make a LSL script and do the following script call in there:
llHTTPRequest("http://opensimulator.org", [^] [
HTTP_CUSTOM_HEADER, "Authorization", "Token TOKEN_REDACTED"
2. You should be getting the following script error now: "llHTTPRequest: Name is invalid as a custom header at parameter 5"
|Tags||No tags attached.|
|Git Revision or version number|
|Run Mode||Grid (1 Region per Sim)|
|Environment||Mono / Linux64|
Per http://wiki.secondlife.com/wiki/LlHTTPRequest [^] :
HTTP_CUSTOM_HEADER : Note that certain headers, such as the default headers, are blocked for security reasons.
'Authorization' belongs to HttpStandardHeaders set.
(Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs, line 286)
If that works in SL, it means that SL and OS do not agree on "standard headers".
|Note, it does still come through and send the data. So technically it is sending the headers correctly with SL and OS, but opensim gives this additional error which makes it impractical to use the llHttpRequest for basic API's that are authenticated with in this fairly common way.|
edited on: 2021-03-15 06:12
Yes, custom headers are added unconditonnaly.
The "is standard header?" test is just used to raise an error.
What is the exact security concern for the usage of this header? For me it is a pretty useful header to set.
var req = new XMLHttpRequest();
req.open("GET", "http://opensimulator.org/", [^] true);
I've read more into this and I think this list is better to follow for forbidden header names: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name [^]
The LSL wiki is not really a source of absolute truth. We've reproduced this same script in SL, and they allow the header fortunately.
More information about the Authorization header usage:
edited on: 2021-03-15 09:54
I once made a test to find out which keywords are allowed in SL compared to Opensim. I found out that only a few are not allowed and some can be set, but will be overwritten without further notice.
Those days I used my own authorization method and used something like X-MyApp-Authorization in the header.
Unfortunately I cannot find the Excel Sheet with my data any more, but I still have the server and the scripts I used to test. There is some manual work to do, but you can expect that I re-create the list to compare within the next two days for further discussions.
edited on: 2021-03-15 12:02
> I once made a test to find out which keywords are allowed in SL compared to Opensim
Here is the list of "standard headers" used in Opensim. The headers in HTTP_CUSTOM_HEADER are searched in this list. If found, an error is issued but the header is added nevertheless.
private static readonly HashSet<string> HttpStandardHeaders = new HashSet<string>(StringComparer.InvariantCultureIgnoreCase)
"Accept", "Accept-Charset", "Accept-Encoding", "Accept-Language",
"Accept-Ranges", "Age", "Allow", "Authorization", "Cache-Control",
"Connection", "Content-Encoding", "Content-Language",
"Content-Length", "Content-Location", "Content-MD5",
"Content-Range", "Content-Type", "Date", "ETag", "Expect",
"Expires", "From", "Host", "If-Match", "If-Modified-Since",
"If-None-Match", "If-Range", "If-Unmodified-Since", "Last-Modified",
"Location", "Max-Forwards", "Pragma", "Proxy-Authenticate",
"Proxy-Authorization", "Range", "Referer", "Retry-After", "Server",
"TE", "Trailer", "Transfer-Encoding", "Upgrade", "User-Agent",
"Vary", "Via", "Warning", "WWW-Authenticate"
It would be trivial to either 1/ Dismiss the error message or 2/ Drop the headers in this list. But the issue needs more thinking about what can and what can't be overriden, and security implications.
Note : "Custom" headers are X-Things, usually.
Testing the list of Opensim HTTP Standard Headers in Secondlife results in four different behaviours.
1) A script error like in Opensim error is produced. The request is aborted.
2) The header is accepted and the value is passed as is. The request is not aborted.
3) The header is accepted, but its value is cleared out. The request is not aborted.
4) The header is accepted, but its value is overwritten. The request is not aborted.
OS HTTP Std Headers Behaviour in SL
Accept Script error
Accept-Charset * Script error
Accept-Encoding * value passed
Accept-Language value passed
Accept-Ranges value passed
Age value passed
Allow value passed
Authorization value passed
Cache-Control value cleared
Connection * overwritten (e.g. keep-alive)
Content-Encoding value passed
Content-Language value passed
Content-Length * value cleared
Content-Location value passed
Content-MD5 value passed
Content-Range value passed
Content-Type Script error
Date * value cleared
ETag value passed
Expect * value cleared
Expires value passed
From Script error
Host * Script error
If-Match value cleared
If-Modified-Since value cleared
If-None-Match value cleared
If-Range value passed
If-Unmodified-Since value cleared
Last-Modified value passed
Location value passed
Max-Forwards value cleared
Pragma value passed
Proxy-Authenticate * value cleared
Proxy-Authorization * value cleared
Range value passed
Referer * Script error
Retry-After value passed
Server value passed
TE * Script error
Trailer * Script error
Transfer-Encoding * value cleared
Upgrade * Script error
User-Agent Script error
Vary value cleared
Via * Script error
Warning value cleared
WWW-Authenticate value passed
An * means it’s in the list of forbidden header names on the MDN web site (mentioned by @thoys). According to a note, User-Agent is no longer forbidden by spec. But I think we should leave it as is.
will look into this...
|2021-03-15 03:29||thoys||New Issue|
|2021-03-15 04:49||JeffKelley||Note Added: 0037663|
|2021-03-15 05:03||thoys||Note Added: 0037664|
|2021-03-15 06:12||JeffKelley||Note Added: 0037665|
|2021-03-15 06:12||JeffKelley||Note Edited: 0037665||View Revisions|
|2021-03-15 06:52||thoys||Note Added: 0037666|
|2021-03-15 08:01||thoys||Note Added: 0037667|
|2021-03-15 09:53||piusnoel||Note Added: 0037669|
|2021-03-15 09:54||piusnoel||Note Edited: 0037669||View Revisions|
|2021-03-15 11:06||JeffKelley||Note Added: 0037670|
|2021-03-15 11:07||JeffKelley||Note Edited: 0037670||View Revisions|
|2021-03-15 11:10||JeffKelley||Note Edited: 0037670||View Revisions|
|2021-03-15 12:02||JeffKelley||Note Edited: 0037670||View Revisions|
|2021-03-16 14:39||piusnoel||Note Added: 0037671|
|2021-03-16 14:41||UbitUmarov||Note Added: 0037672|
|Copyright © 2000 - 2012 MantisBT Group|