[Opensim-dev] Patch for New llHTTPRequest Internal Header Values

Mike Higgins mike at kayaker.net
Sun Nov 10 23:36:26 UTC 2019 

Background:

Every time a script makes a call to llHTTPRequest, the system 
automatically adds a few values to the header of the request. Things 
like the name and UUID of the owner of the prim. These values turn out 
to be incredibly useful for authentication, commerce and other 
cryptographic uses. For example, it is extremely difficult for an avatar 
to spoof her own UUID. So this value can be used to uniquely 
authenticate that the person using a prim is in fact who she claims to 
be. This can then be used in place of a password to access content on 
the WEB, to identify sellers in commercial grids, to implement digital 
rights management and probably many other uses. There are other values 
that I wish LL had added to the header so now I have added them in this 
patch.

Patch to Add New Values:

The enclosed patch adds a bunch more potentially useful values to the 
HTTP Request header. No change is made to the existing header values. 
The new header values have a different prefix (X-OpenSim- instead of 
X-SecondLife-) so they will not be seen by existing code that looks for 
the old ones. The patch implements several new INI configuration values 
to enable these new header values (OpenSimHeaders=true in the [Network] 
section). The default value of this is false so grid owners have the 
choice of enabling it in their regions.

The new header values I have added include things like the grid name 
(which is not reliably sent in the X-SecondLife-Shard value in the 
header), more information identifying regions and parcels (for 
implementing functions based on location), information about the calling 
script, and more information about the prim the request comes from. For 
example, I added X-OpenSim-Prim-Creator-Key and 
X-OpenSim-Script-Creator-Key which may be useful for vending machines 
and DRM schemes. I added the owner mask for checking what permissions 
the user has on the prim and parcel flags to check what avatars are 
allowed to do there. These are integer values that require knowing which 
bits encode which permissions. (That information can be had from the LSL 
Wiki).

I added a few description values, which are moderate sized (128 
character) strings. I was concerned that they may contain strings that 
need to be escaped before placing in the header. However, I tested this 
and found that these strings are already escaped down-stream in the 
code. This makes sense, since other strings in the header need escaping.

These values cannot be sent in the header argument or the URL of an 
llHTTPRequest. Actually they could be, but if they were they could 
easily be spoofed. If these values are collected by the system inside 
the llHTTPRequest code, as I have done in this patch, then they cannot 
be spoofed. For example a copybotter could break open a script and 
change UUID and names if those were in the parameters of llHTTPRequest. 
If the names and UUIDs are added internally by llHTTPRequest, the 
copybotter cannot hide his own ID and location. (Without a lot of work 
building stand alone grids or modifying the code of OpenSim).

I don't think any of the values I have added to the header decrease 
security or privacy. Everything I have included is already readily 
available by common means in-world.

I did include a lot of new values, many of which I don't see an 
immediate use for. You might argue that it is a lot of information and 
makes headers a lot larger. To address this, I added separate switches 
to the [Network] section of the INI configuration files to disable 
different classes of values. There is a separate option for information 
about the grid, region, parcel, prim and script. Plus one more option to 
disable including the description strings in the header. Sample INI 
configuration:

[Network]

OpenSimHeaders = true ;add new information to llHTTPRequest header

;OpenSimHeadersGrid = false ;if false, don't include grid info in header

;OpenSimHeadersRegion = false ;don't include region info

;OpenSimHeadersParcel = false ;parcel info

;OpenSimHeadersPrim = false ;extra prim info

;OpenSimHeadersScript = false ;script info

;OpenSimHeadersDesc = false ;descriptions (prim and script)


Complete list of new header values added:


X-Opensim-Grid-Login-Uri

X-Opensim-Grid-Name

X-Opensim-Parcel-Flags

X-Opensim-Parcel-Group-Key

X-Opensim-Parcel-Key

X-Opensim-Parcel-Name

X-Opensim-Parcel-Owner-Key

X-Opensim-Prim-Creator-Key

X-Opensim-Prim-Description

X-Opensim-Prim-Group-Key

X-Opensim-Prim-Owner-Mask

X-Opensim-Prim-Sit-Text

X-Opensim-Prim-Text

X-Opensim-Prim-Touch-Text

X-Opensim-Region-Key

X-Opensim-Region-Size-X

X-Opensim-Region-Size-Y

X-Opensim-Script-Creator-Key

X-Opensim-Script-Description

X-Opensim-Script-Name

X-Opensim-Script-Perms-Mask

More information about the Opensim-dev mailing list