Background:
Every time a script makes a call to llHTTPRequest, the system
automatically adds a few values to the header of the request. Things
like the name and UUID of the owner of the prim. These values turn out
to be incredibly useful for authentication, commerce and other
cryptographic uses. For example, it is extremely difficult for an avatar
to spoof her own UUID. So this value can be used to uniquely
authenticate that the person using a prim is in fact who she claims to
be. This can then be used in place of a password to access content on
the WEB, to identify sellers in commercial grids, to implement digital
rights management and probably many other uses. There are other values
that I wish LL had added to the header so now I have added them in this
patch.
Patch to Add New Values:
The enclosed patch adds a bunch more potentially useful values to the
HTTP Request header. No change is made to the existing header values.
The new header values have a different prefix (X-OpenSim- instead of
X-SecondLife-) so they will not be seen by existing code that looks for
the old ones. The patch implements several new INI configuration values
to enable these new header values (OpenSimHeaders=true in the [Network]
section). The default value of this is false so grid owners have the
choice of enabling it in their regions.
The new header values I have added include things like the grid name
(which is not reliably sent in the X-SecondLife-Shard value in the
header), more information identifying regions and parcels (for
implementing functions based on location), information about the calling
script, and more information about the prim the request comes from. For
example, I added X-OpenSim-Prim-Creator-Key and
X-OpenSim-Script-Creator-Key which may be useful for vending machines
and DRM schemes. I added the owner mask for checking what permissions
the user has on the prim and parcel flags to check what avatars are
allowed to do there. These are integer values that require knowing which
bits encode which permissions. (That information can be had from the LSL
Wiki).
I added a few description values, which are moderate sized (128
character) strings. I was concerned that they may contain strings that
need to be escaped before placing in the header. However, I tested this
and found that these strings are already escaped down-stream in the
code. This makes sense, since other strings in the header need escaping.
These values cannot be sent in the header argument or the URL of an
llHTTPRequest. Actually they could be, but if they were they could
easily be spoofed. If these values are collected by the system inside
the llHTTPRequest code, as I have done in this patch, then they cannot
be spoofed. For example a copybotter could break open a script and
change UUID and names if those were in the parameters of llHTTPRequest.
If the names and UUIDs are added internally by llHTTPRequest, the
copybotter cannot hide his own ID and location. (Without a lot of work
building stand alone grids or modifying the code of OpenSim).
I don't think any of the values I have added to the header decrease
security or privacy. Everything I have included is already readily
available by common means in-world.
I did include a lot of new values, many of which I don't see an
immediate use for. You might argue that it is a lot of information and
makes headers a lot larger. To address this, I added separate switches
to the [Network] section of the INI configuration files to disable
different classes of values. There is a separate option for information
about the grid, region, parcel, prim and script. Plus one more option to
disable including the description strings in the header. Sample INI
configuration:
[Network]
OpenSimHeaders = true ;add new information to llHTTPRequest header
;OpenSimHeadersGrid = false ;if false, don't include grid info in header
;OpenSimHeadersRegion = false ;don't include region info
;OpenSimHeadersParcel = false ;parcel info
;OpenSimHeadersPrim = false ;extra prim info
;OpenSimHeadersScript = false ;script info
;OpenSimHeadersDesc = false ;descriptions (prim and script)
Complete list of new header values added:
X-Opensim-Grid-Login-Uri
X-Opensim-Grid-Name
X-Opensim-Parcel-Flags
X-Opensim-Parcel-Group-Key
X-Opensim-Parcel-Key
X-Opensim-Parcel-Name
X-Opensim-Parcel-Owner-Key
X-Opensim-Prim-Creator-Key
X-Opensim-Prim-Description
X-Opensim-Prim-Group-Key
X-Opensim-Prim-Owner-Mask
X-Opensim-Prim-Sit-Text
X-Opensim-Prim-Text
X-Opensim-Prim-Touch-Text
X-Opensim-Region-Key
X-Opensim-Region-Size-X
X-Opensim-Region-Size-Y
X-Opensim-Script-Creator-Key
X-Opensim-Script-Description
X-Opensim-Script-Name
X-Opensim-Script-Perms-Mask
_______________________________________________
Opensim-dev mailing list
[email protected]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
