Open ValdikSS opened 6 years ago
Well, @ValdikSS, this check was added to protect from <img src="/fdgkjdhgjfd">
attack. Normal HTTP requests send text/html
as Accept
, while img
tags don't.
Do I understand this correctly that this is done to prevent deanonymization of Zeronet users from the usual internet websites? If Zeronet would serve the content when Accept
header is completely missing, would that bring additional issues?
@ValdikSS
Yes, for example, other sites could trigger site download by adding <img src="/Talk.ZeroNetwork.bit/">
tag that will download ZeroTalk.
Step 1: Please describe your environment
Step 2: Describe the problem:
Zeronet Ui expects HTTP
Accept
header to contain at leasttext/html
. I2P tunnels removeAccept
header from the request, which does not allow to access Zeronet due to the following check: https://github.com/HelloZeroNet/ZeroNet/blob/master/src/Ui/UiRequest.py#L283Steps to reproduce:
Accept
HTTP header to Zeronet UI addressObserved Results:
Zeronet returns HTTP 403
Invalid Accept header to load wrapper
error.Expected Results:
Zeronet ignores absence of HTTP
Accept
header and continue to work.