Why is WebGUI forcing top.location?



  • I have a network monitoring system hooked up to a big tv and had integrated the pfsense traffic graphs into the main monitoring page(so I could see the current bandwidth used on both my connections…worked great with 1.2.3, but 2.0 forces the traffic graph to take top.location, which replaces my nice monitoring page with a full screen traffic graph!

    I can see forcing that in some situations but why force it here?  Is there any way I can disable that?



  • @jmcentire:

    I have a network monitoring system hooked up to a big tv and had integrated the pfsense traffic graphs into the main monitoring page(so I could see the current bandwidth used on both my connections…worked great with 1.2.3, but 2.0 forces the traffic graph to take top.location, which replaces my nice monitoring page with a full screen traffic graph!

    I can see forcing that in some situations but why force it here?  Is there any way I can disable that?

    ..Probably not the reply you expected, but how about you ssh to your firewall(s) and edit the php files (take a look in /usr/local/www/)?
    I guess it is the file status_graph.php you want to edit the guiconfig.inc and/or csrf/csrf-magic.js so that location.top is not checked/set?


  • Rebel Alliance Developer Netgate

    It's a security measure to prevent CSRF/XSS and similar attacks that can rely on embedding the firewall into some other untrusted page.

    You can add this to the top of a PHP page:

    $nocsrf = true;

    And then it'll turn off that protection.



  • @jimp:

    It's a security measure to prevent CSRF/XSS and similar attacks that can rely on embedding the firewall into some other untrusted page.

    You can add this to the top of a PHP page:

    $nocsrf = true;

    And then it'll turn off that protection.

    How i can turn off CSRF at all? Not only at one php page.


Log in to reply