Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why is WebGUI forcing top.location?

    Scheduled Pinned Locked Moved webGUI
    4 Posts 4 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmcentire
      last edited by

      I have a network monitoring system hooked up to a big tv and had integrated the pfsense traffic graphs into the main monitoring page(so I could see the current bandwidth used on both my connections…worked great with 1.2.3, but 2.0 forces the traffic graph to take top.location, which replaces my nice monitoring page with a full screen traffic graph!

      I can see forcing that in some situations but why force it here?  Is there any way I can disable that?

      1 Reply Last reply Reply Quote 0
      • E
        esnakk
        last edited by

        @jmcentire:

        I have a network monitoring system hooked up to a big tv and had integrated the pfsense traffic graphs into the main monitoring page(so I could see the current bandwidth used on both my connections…worked great with 1.2.3, but 2.0 forces the traffic graph to take top.location, which replaces my nice monitoring page with a full screen traffic graph!

        I can see forcing that in some situations but why force it here?  Is there any way I can disable that?

        ..Probably not the reply you expected, but how about you ssh to your firewall(s) and edit the php files (take a look in /usr/local/www/)?
        I guess it is the file status_graph.php you want to edit the guiconfig.inc and/or csrf/csrf-magic.js so that location.top is not checked/set?

        –
        Cheers,
        E

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          It's a security measure to prevent CSRF/XSS and similar attacks that can rely on embedding the firewall into some other untrusted page.

          You can add this to the top of a PHP page:

          $nocsrf = true;

          And then it'll turn off that protection.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • E
            Essential
            last edited by

            @jimp:

            It's a security measure to prevent CSRF/XSS and similar attacks that can rely on embedding the firewall into some other untrusted page.

            You can add this to the top of a PHP page:

            $nocsrf = true;

            And then it'll turn off that protection.

            How i can turn off CSRF at all? Not only at one php page.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.