#9792 – .htaccess blocks access for FireFox

Posted in ‘Akeeba Admin Tools for Joomla!’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Wednesday, 16 March 2011 04:36 CDT
Hi,

I have used .htaccess Generator of Admin Tools to activate Server Protection (i.e. creating .htaccess file in root folder). I suppose that following lines of the .htaccess file:

##### Advanced server protection -- BEGIN



## Referrer filtering for common media files

RewriteRule ^(images/stories/.*\.(jpe|jpg|jpeg|jp2|jpe2|png|gif|bmp|css|js|swf|html|html))$ $1 [L]

RewriteCond %{REQUEST_FILENAME} -f

RewriteCond %{HTTP_REFERER} !^(http://www\.mydomain\.sk|https://www\.mydomain\.sk) [NC]

RewriteRule \.(jpe|jpg|jpeg|jp2|jpe2|png|gif|bmp|css|js|swf|html|html)$ - [F,L]

...

## Allow limited access for certain Joomla! system directories with client-accessible content

RewriteRule ^((components|modules|templates|images|plugins|media)/.*\.(jpe|jpg|jpeg|jp2|jpe2|png|gif|bmp|css|js|swf|html|mpg|mp3|mpeg|mp4|avi|wav|ogg|ogv|xls|xlsx|doc|docx|ppt|pptx|zip|rar|pdf|xps|txt|7z|svg|odt|ods|odp|flv|mov|ico|htm))$ $1 [L]


allows (besides another things) access to .swf files in any subdirectory in "/components" directory. However, as FireFox does not provide HTTP_REFERER parameter to web server, .swf files are inaccessible (i.e. they are not displayed on the web page) while using FireFox, but they are accessible (i.e. displayed on the page) while using IE8. My point is to have the .swf files correctly displayed on the web pages regardless which browser is used.

I have found workaround of this issue by adding line "RewriteCond %{HTTP_REFERER} !^$" into .htaccess file, i.e.:

##### Advanced server protection -- BEGIN



## Referrer filtering for common media files

RewriteRule ^(images/stories/.*\.(jpe|jpg|jpeg|jp2|jpe2|png|gif|bmp|css|js|swf|html|html))$ $1 [L]

RewriteCond %{REQUEST_FILENAME} -f

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^(http://www\.mydomain\.sk|https://www\.mydomain\.sk) [NC]

RewriteRule \.(jpe|jpg|jpeg|jp2|jpe2|png|gif|bmp|css|js|swf|html|html)$ - [F,L]

...

## Allow limited access for certain Joomla! system directories with client-accessible content

RewriteRule ^((components|modules|templates|images|plugins|media)/.*\.(jpe|jpg|jpeg|jp2|jpe2|png|gif|bmp|css|js|swf|html|mpg|mp3|mpeg|mp4|avi|wav|ogg|ogv|xls|xlsx|doc|docx|ppt|pptx|zip|rar|pdf|xps|txt|7z|svg|odt|ods|odp|flv|mov|ico|htm))$ $1 [L]


My question is whether this is the safe workaround or if there exists any other way how to solve this issue with FireFox and HTTP_REFERER parameter.

Thank you,
user33181
Wednesday, 16 March 2011 12:58 CDT
You can simply disable the HTTP referer filtering option in .htaccess maker. In the "Server Protection" slider set the "Anti-leech protection for static resources outside images/stories" to No. The idea is that if you're going to disable HTTP referer validation, be consistent and do it site-wide to avoid hard-to-trace problems. Besides, this feature only offers limited protection against fingerprinting attacks (i.e. attempts of hackers to fly under the radar in order to figure out which Joomla! release you're using). The rest of the security features of Admin Tools do a very good job at actively protecting your site, so the extra risk arising from fingerprinting attempts is minimal, if any.


Nicholas K. Dionysopoulos

Lead Developer and Director



Greek: native

English: excellent

French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



nicholas
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Cookies Notification - Action required

This website uses cookies to provide user authentication and improve your user experience. Please indicate whether you consent to our site placing these cookies on your device. You can change your preference later, from the controls which will be made available to you at the bottom of every page of our site.