Bugzilla – Bug 756
setup links broken when running on port 80
Last modified: 2008-12-18 11:53:20 UTC
Setup links (server settings, player settings, etc) don't work when slimserver is running on port 80. Attempting to follow one of these links results in a 403 page. It appears that preventing cross-site scripting attacks means insuring that the referrer in the http request is the same host slimserver is running on. However the actualy comparison looks at hostname:port and when running on port 80, the browser will compress this to just hostname, and the comparison fails.
Created attachment 234 [details] patch to allow setup links to work when running on port 80 this was diffed against BRANCH_5_4_x but works with trunk just as well.
Good find. KDF: Can you help out here?
The patch looks fine, however, bug758 addresses a concern for greater security yet allowing bookmarked pages that this referrer test will not allow. Perhaps this could be committed to 5.4.1, leaving bug758 to be merged into 6.0. The referrer test might then be completely removed from 6.0
This problem is going to be handled by removing the referrer check and use the security settings given in bug758, or some variation *** This bug has been marked as a duplicate of 758 ***
Routine bug db maintenance; removing old versions which cause confusion. I apologize for the inconvenience.