From: Fabian Keil Date: Mon, 20 Feb 2017 13:44:54 +0000 (+0000) Subject: Document the "trusted-cgi-referer" directive X-Git-Tag: v_3_0_27~219 X-Git-Url: http://www.privoxy.org/gitweb/%22https:/developer-manual/man-page/static/@user-manual@config.html?a=commitdiff_plain;h=448ef60b199803410296ff172d2a1f83dcf8565c;p=privoxy.git Document the "trusted-cgi-referer" directive Sponsored by: Robert Klemme --- diff --git a/doc/source/p-config.sgml b/doc/source/p-config.sgml index a7405d96..7c420848 100644 --- a/doc/source/p-config.sgml +++ b/doc/source/p-config.sgml @@ -3,7 +3,7 @@ Purpose : Used with other docs and files only. - $Id: p-config.sgml,v 2.122 2016/05/22 12:41:50 fabiankeil Exp $ + $Id: p-config.sgml,v 2.123 2016/05/22 12:44:02 fabiankeil Exp $ Copyright (C) 2001-2016 Privoxy Developers https://www.privoxy.org/ See LICENSE. @@ -97,7 +97,7 @@ Sample Configuration File for Privoxy &p-version; - $Id: p-config.sgml,v 2.122 2016/05/22 12:41:50 fabiankeil Exp $ + $Id: p-config.sgml,v 2.123 2016/05/22 12:44:02 fabiankeil Exp $ Copyright (C) 2001-2016 Privoxy Developers https://www.privoxy.org/ @@ -1958,6 +1958,82 @@ ACLs: permit-access and deny-access @@enable-proxy-authentication-forwarding 0]]> + +trusted-cgi-referer + + + Specifies: + + + A trusted website or webpage whose links can be followed to reach sensitive CGI pages + + + + + Type of value: + + URL or URL prefix + + + + Default value: + + Unset + + + + Effect if unset: + + + No external pages are considered trusted referers. + + + + + Notes: + + + Before &my-app; accepts configuration changes through CGI pages like + client-tags or the + remote toggle, it checks + the Referer header to see if the request comes from a trusted source. + + + By default only the webinterface domains + config.privoxy.org + and + p.p + are considered trustworthy. + Requests originating from other domains are rejected to prevent + third-parties from modifiying Privoxy's state by e.g. embedding + images that result in CGI requests. + + + In some environments it may be desirable to embed links to CGI pages + on external pages, for example on an Intranet homepage the Privoxy admin + controls. + + + The trusted-cgi-referer option can be used to add that page, + or the whole domain, as trusted source so the resulting requests aren't + rejected. + Requests are accepted if the specified trusted-cgi-refer is the prefix + of the Referer. + + + + Declaring pages the admin doesn't control trustworthy may allow + malicious third parties to modify Privoxy's internal state against + the user's wishes and without the user's knowledge. + + + + + + +@@trusted-cgi-referer http://www.example.org/local-privoxy-control-page]]> + +