Why is WebGUI forcing top.location?
-
I have a network monitoring system hooked up to a big tv and had integrated the pfsense traffic graphs into the main monitoring page(so I could see the current bandwidth used on both my connections…worked great with 1.2.3, but 2.0 forces the traffic graph to take top.location, which replaces my nice monitoring page with a full screen traffic graph!
I can see forcing that in some situations but why force it here? Is there any way I can disable that?
-
I have a network monitoring system hooked up to a big tv and had integrated the pfsense traffic graphs into the main monitoring page(so I could see the current bandwidth used on both my connections…worked great with 1.2.3, but 2.0 forces the traffic graph to take top.location, which replaces my nice monitoring page with a full screen traffic graph!
I can see forcing that in some situations but why force it here? Is there any way I can disable that?
..Probably not the reply you expected, but how about you ssh to your firewall(s) and edit the php files (take a look in /usr/local/www/)?
I guess it is the file status_graph.php you want to edit the guiconfig.inc and/or csrf/csrf-magic.js so that location.top is not checked/set? -
It's a security measure to prevent CSRF/XSS and similar attacks that can rely on embedding the firewall into some other untrusted page.
You can add this to the top of a PHP page:
$nocsrf = true;
And then it'll turn off that protection.
-
It's a security measure to prevent CSRF/XSS and similar attacks that can rely on embedding the firewall into some other untrusted page.
You can add this to the top of a PHP page:
$nocsrf = true;
And then it'll turn off that protection.
How i can turn off CSRF at all? Not only at one php page.
