There is already a mechanism to add Header entries in llHttpRequest (http://wiki.secondlife.com/wiki/HTTP_CUSTOM_HEADER) . And I don't think it's reasonable to consider anything on the header trusted or secure just because its in the header. I'd argue there's little utility to adding a bunch of data to the header that can't be trusted implicitly and it may bulk up the message to the degree that the data gets split across packets and delivered less efficiently. But my main argument against the approach would be that information in the header is somehow secure or trustable. It's just not.
Mike -----Original Message----- From: opensim-dev-boun...@opensimulator.org <opensim-dev-boun...@opensimulator.org> On Behalf Of Haravikk Sent: Monday, November 11, 2019 5:26 AM To: opensim-dev@opensimulator.org Subject: Re: [Opensim-dev] Patch for New llHTTPRequest Internal Header Values > On 10 Nov 2019, at 23:36, Mike Higgins <m...@kayaker.net> wrote: > > These values turn out to be incredibly useful for authentication, commerce and other cryptographic uses. For example, it is extremely difficult for an avatar to spoof her own UUID. So this value can be used to uniquely authenticate that the person using a prim is in fact who she claims to be. I'd caution against using this is a sole factor in authentication; the whole point of OpenSimulator is that anybody can setup and run a simulator, and the code is open source, so it would be entirely possible to send false requests from a malicious server (or CURL or similar if you know what you're doing), there's also no guarantee that an avatar's UUID is unique between grids (it should be, but it also may not be, e.g- if data was imported, or someone changed their UUID on purpose). You would also need to establish that the request comes from a trustworthy grid, and there isn't currently a way to do this as such, as again a malicious request can pretend to come from any grid it likes, unless you have a list of all valid IP's for that grid, you can't verify it. I discussed a possible method to check that a simulator actually belongs to the grid it says it does via a grid-level API, but have never found the time to sit down and learn enough about the OpenSimulator code to implement it. If you're interested, I covered this in a pair of wiki articles: http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerification <http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerification> and http://opensimulator.org/wiki/User:Haravikk_Mistral/ExpandedGridInfoAvailabi lity So yeah, if you want validation I strongly recommend something more than just checking the headers in an HTTP request at present; an initial password then a persistent session token is still my preferred method, so a user should only need to enter their password (and it should only be held by the script) during initial setup of a device, or if they let the session expire. > [Network] > > OpenSimHeaders = true ;add new information to llHTTPRequest header > > ;OpenSimHeadersGrid = false ;if false, don't include grid info in header > > ;OpenSimHeadersRegion = false ;don't include region info > > ;OpenSimHeadersParcel = false ;parcel info > > ;OpenSimHeadersPrim = false ;extra prim info > > ;OpenSimHeadersScript = false ;script info > > ;OpenSimHeadersDesc = false ;descriptions (prim and script) > > > Complete list of new header values added: > > > X-Opensim-Grid-Login-Uri > > X-Opensim-Grid-Name > > X-Opensim-Parcel-Flags > > X-Opensim-Parcel-Group-Key > > X-Opensim-Parcel-Key > > X-Opensim-Parcel-Name > > X-Opensim-Parcel-Owner-Key > > X-Opensim-Prim-Creator-Key > > X-Opensim-Prim-Description > > X-Opensim-Prim-Group-Key > > X-Opensim-Prim-Owner-Mask > > X-Opensim-Prim-Sit-Text > > X-Opensim-Prim-Text > > X-Opensim-Prim-Touch-Text > > X-Opensim-Region-Key > > X-Opensim-Region-Size-X > > X-Opensim-Region-Size-Y > > X-Opensim-Script-Creator-Key > > X-Opensim-Script-Description > > X-Opensim-Script-Name > > X-Opensim-Script-Perms-Mask I'm generally in favour of these though; personally I wonder if we should just include grid info as standard, since it's such a crucial part to OpenSimulator, shouldn't present a security threat (unless your login URI is unsecured somehow, in which case you have bigger problems) and it's useful for basic verification of an HTTP request. _______________________________________________ Opensim-dev mailing list Opensim-dev@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev _______________________________________________ Opensim-dev mailing list Opensim-dev@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
