From 3255335c42ff348465d235a3ccf9558d0d6d414b Mon Sep 17 00:00:00 2001
From: Justin Clark-Casey (justincc)
Date: Wed, 4 Mar 2015 17:51:11 +0000
Subject: Make private services forbid llHTTPRequest() calls by rejecting those
 that have the X-SecondLife-Shard header.

If you need to enable this, set AllowHttpRequestIn = true in [Network] for all private services or individual [*Service] sections.
---
 bin/Robust.HG.ini.example | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'bin/Robust.HG.ini.example')

diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example
index 5fa4026..872a7f8 100644
--- a/bin/Robust.HG.ini.example
+++ b/bin/Robust.HG.ini.example
@@ -153,6 +153,13 @@
     ;; Hypergrid services are not affected by this; they are publicly available 
     ;; by design.
 
+    ;; By default, scripts are not allowed to call private services via llHttpRequest()
+    ;; Such calls are detected by the X-SecondLife-Shared HTTP header
+    ;; If you allow such calls you must be sure that they are restricted to very trusted scripters
+    ;; (remember scripts can also be in visiting avatar attachments).
+    ;; This can be overriden in individual private service sections if necessary
+    AllowllHTTPRequestIn = false
+
     ; * The following are for the remote console
     ; * They have no effect for the local or basic console types
     ; * Leave commented to diable logins to the console
-- 
cgit v1.1