 |
SET actions
About SET actions
<set-action>s are used to configure internal Internet Services options.
Generally, a given SET option may only be executed once in any given evaluation pass of the HeaderMatch document. If an attempt is made to set a switch more than once in an evaluation pass, the second and subsequent values of the switch will be ignored.
If the SET command is prefaced by a condition, it will only count as having been executed if the condition evaluates to true. This means that, in the event that different behaviours for a given option are desired based on input conditions, the most specific condition should usually occur first in the file, with the more general conditions occurring later.
The syntax for a SET action is:
SET <set-option> [=] <value>
where <option> may be used to do any of the following:
• configure how Internet Services supports certain features of the HTTP protocol
• control Internet Services template rendering and/or form processing behaviour
• enable and configure optional features of the Internet Services HTTP server.
SET options to configure how Internet Services supports certain features of the HTTP protocol
Option |
Possible Value(s) |
Notes |
allowhttptrace |
1 | 0 |
This option is used to enable or disable the HTTP TRACE command (see RFC 2616 Section 9.8). By default the TRACE command is enabled. |
sendhttpserverheader |
1 | 0 |
This option is used to enable or disable the sending of the HTTP 'Server:' response header (see RFC2616 Section 14.38). By default, Internet Services will send a server header. |
204response |
normal | rfc | body | <http response code> |
This option is used to configure how Internet Services responds to commands that would usually receive a 204/No Content protocol response. 'normal' behaviour is to return the contents of the "Error204" template (with a 200/OK response code) if such a template exists, or a 204/No Content response if not. 'rfc' behaviour always
returns the 204/No Content response, and will not send any Error204 template, even if such a template exists. 'body' behaviour always returns a 200/OK response. In the event that no "Error204" template exists, a boilerplate template will be generated and sent by Internet Services. Any other response code will cause Internet Services to respond using that response code, using any appropriate error template. |
404redirect |
<local url> |
This option can be used to redirect "not found" requests to a common url elsewhere on the system (such as a common error page). This redirect supersedes any Error404 or other error page present in the current template set. This switch is best used with caution, as it can break site navigation and may disrupt non-browser HTTP clients (such as WebDAV mounters). |
forcehttpver10 |
1 | 0 |
This option is used to force Internet Services to respond to the current request using the 1.0 version of the HTTP protocol, even if the client advertises support for a different version. By default Internet Services responds to requests with the latest version of the HTTP protocol which the client claims to support, up to the most recent version which Internet Services understands (currently HTTP/1.1). |
keepalive |
1 | 0 |
This option is used to enable or disable HTTP keep-alive, which allows multiple requests to be made on a single TCP connection. By default, keep alive is enabled, provided the client is using an advanced enough version of the HTTP protocol to support it. |
usecomplianterrorcodes |
1 | 0 | default |
This option is used to set whether HTTP returns the defined protocol response code values for errors, or instead returns a "200/OK" response code when sending an error template. By default, Internet Services uses the proper RFC2616 defined error codes for all clients except Microsoft Internet Explorer. MSIE receives 200/OK responses for error templates in order to bypass that browser's standards violating and generally uninformative "friendly" error pages. |
allowcompression |
1 | 0 |
This option is used to enable or disable gzip or deflate compression on textual response bodies. By default, compression is enabled. |
trailingslashredirects |
1 | 0 |
This option is used to configure whether or not Internet Services will redirect clients so as to ensure the presence (for containers) or absence (for leaves) of a trailing slash. Failure to properly redirect clients when rendering HTML content may result in relative URLs not working, however some user agents (particularly some special purpose ones such as WebDAV clients) do not correctly handle the redirect. By default, redirects are enabled. |
contenttype |
<MIME type> |
This option is used to override the default content MIME type that Internet Services reports any response body to be in. Using this option does NOT change the actual content, only the value of the HTTP server's content-type response header. This option should NOT be used to set parameters in the content-type header (such as charset),
only the base content type. This switch overrides the content-type header of all returned content (including images and other uploaded files). For templates, the templatecontenttype templatecontenttype switch (below) is usually a more appropriate choice. By default Internet Services will generate an appropriate content-type header by looking up the relevant entry for what is currently being rendered in
the "MIME Types" configuration file. |
|
1 | 0 |
This option is used to configure whether or not the HTTP module will attempt to locate and use templates for alternate content types, based on the client's 'Accept' header. Such templates should have the normal template IDs, with extensions based on their content, as mapped using the Internet Services MIME Types file. Content negotiation
is disabled by default. |
allowedauthmodes |
<allowed auth modes hex bitmask> | ( [!] <auth mode> [ , [!] <auth mode> ]* ) |
This option sets the base list of authentication methods that are enabled. See Authentication Modes for a list of supported auth mechanisms and which are enabled by default. |
addauthmodes |
<allowed auth modes hex bitmask> | ( [!] <auth mode> [ , [!] <auth mode> ]* ) |
This option enables authentication methods, adding them to the current allowed auth modes. See Authentication Modes for a list of supported auth mechanisms. This SET switch may be activated more than once per HeaderMatch evaluation pass, but must be preceeded by a setting of the base
authentication level using allowedauthmodes, above. |
removeauthmodes |
<allowed auth modes hex bitmask> | ( [!] <auth mode> [ , [!] <auth mode> ]* ) |
This option disables authentication methods, removing them from the list of allowed auth modes. See Authentication Modes for a list of supported auth mechanisms. This SET switch may be activated more than once per HeaderMatch evaluation pass, but must be preceeded by a setting of the
base authentication level using allowedauthmodes, above. |
suppresshttpdigestreverseauthentication |
1 | 0 |
This option can be used to suppress the sending of the HTTP Digest login's Authentication-Info response header (see RFC2617 section 3.2.3). While the use of this header increases the security of the HTTP Digest authentication mode, some HTTP User-Agents have been found to be unable decode it correctly, preventing interoperation with these clients if this header is used. By default, this option is disabled. Note that enabling this option causes Internet Services to behave in a manner that is contrary to RFC2617 when using HTTP digest authentication. |
debuglevel |
<int> |
This option can be used on a per-request basis to set the debug level for testing/support purposes. |
SET options to control Internet Services template rendering and/or form processing behaviour
Option |
Possible Value(s) |
Notes |
templatecontenttype |
<MIME Type> |
This option is used to override the default content MIME type that Internet Services reports templates to be in. By default Internet Services will report templates to be type "text/html", unless enablecontentnegotiation is turned on, in which case template will be reported to be in the negotiated
content type. |
charset |
<charset code> |
This option can be used to force Internet Services to translate rendered content into a specific character set. By default, Internet Services selects an appropriate rendering character set based on the language and character set of the content being rendered. If you use this option, Internet Services will make no attempt to determine the suitability of the specified output character set. The onus is on the user to ensure that the requested character mapping is likely to produce useful results. For this
reason, it is usually a bad idea to override Internet Services' default charset selection unless interoperability with a third party HTTP-based application requires it. Internet Services does NOT support the UTF-16 or UCS-4 Unicode serializations. The ONLY Unicode serialization the Internet Services HTTP module supports for rendering is UTF-8. |
requirevalidationkeys |
1 | 0 |
This option is used to configure Internet Services to require that a single use validation key generated using the <X-FC-SESSION VKEY> tag be submitted in any request that changes the state of content on the FirstClass Server. This is used to prevent cross-site request forgery attacks. By default, this option is enabled. |
maxsessidletime |
<number of seconds> |
This option is used to limit the maximum amount of time that Internet Services will persist a login session with no hits from the HTTP client. Other factors can further foreshorten the session cache time, independent of this setting, such as the user's inactivity time or daily login time limit. This setting is intended for
use with HTTP protocols that do not support an inherent "logout" command, such as WebDAV clients, in order to reduce the number of abandoned "zombie" sessions left behind by clients that are not going to reconnect. Setting the <number of seconds> value to 0 will cause the session to remain active in idle mode until it is logged out, either by the user or the server. Setting the <number of seconds> value to less than zero will cause Internet Services to disconnect the session as soon as the last HTTP client disconnects. |
commontemplates |
<template alias> = <fallback> |
The common templates option defines a fallback template folder to use if templates are not present directly in the site folder. By default, there is no common templates fallback defined. <template alias> is the name of the active templates alias (".Templates", "Mobile.Templates" etc...) <fallback> is the path, from the cluster config folder, to the appropriate common fallback template folder ("WWW/Template Sets/Standard Templates", "WWW/Template Sets/Mobile Templates" etc...) This switch may be activated once per <template alias> per evaluation pass. |
.templates |
<template set name> |
This option is used to specify the name of the template set alias to use to render the response to the current request. Internet Services will render the response by selecting an appropriate template from a folder located at the site root with the name specified here, falling back to any "commontemplates" folder (see below) if no such alias exists in the site. The default value for this option is ".templates". |
plugin |
<plugin name> |
This option is used to force the response to the current request to be rendered using templates drawn from a specific plugin template set. By default, there is no override plugin set engaged. |
defaulttemplateextension |
<extension> |
This option is used to specify a default file name extension to be used when Internet Services looks for templates. Care should be taken when using this switch in conjunction with the 'enablecontentnegotiation' switch to ensure that there are no collisions between default template extensions and extensions for templates for alternate content-types. By default, there is no extension for templates. |
icons |
<icons resource file name> |
This option is used to specify an alternate resource file to draw language independent icons from. By default, language independent icons come from the "icons.rez" file. |
pictures |
<pictures resource file name> |
This option is used to specify an alternate resource file to draw language independent images from. By default, language independent images come from the "pictures.rez" file. |
sounds |
<sounds resource file name> |
This option is used to specify an alternate resource file to draw language independent sounds from. By default, language independent sounds come from the "sounds.rez" file. |
calview |
<template id> |
This option is used to override the default template that Internet Services will use to render calendars. By default Internet Services will use the view saved by the client in the calendar's layout information. |
calendaroptions |
<calendar option hex bitmask> | ( [!] <calendar option> [ , [!] <calendar option> ]* ) |
This option is used to enable or disable various rendering options for calendars. See Calendar Options for the list of calendar options, their bit values and default states. |
legacybodyfontsize |
1 | 0 |
This option is used to set whether or not Internet Services applies font size scaling to FirstClass body content in order to provide WYSIWYG editing of web content using the FirstClass client. By default, font scaling is enabled. |
legacyfileurls |
1 | 0 |
This option is used to set whether or not Internet Services will support URLs for uploaded files that make use of virtual folders in order to generate URLs that uniquely map to a given file while still resulting in correct file names in a browser's "Save As" dialog. By default, this option is disabled, and Internet Services uses URL paramters to ensure URL uniqueness for file names. |
forcedircontacts |
1 | 0 |
This option is used to force Internet Services to include contacts in directory searches, even if the search request does not include such. By default, this option is disabled. |
urlspaceversion |
<version number> |
This option is used to set what version of the Internet Services URL space is to be used. Documentation about the various URL space versions, and the differences between them, can be obtained in the FirstClass Webmasters FAQ folder (see the IS URL Space BNF documents on FCOL in Conferences/Peer to Peer Support/FirstClass Webmasters/FAQs). The default URL space is version 1. |
unixdates |
1 | 0 |
This option is used to force Internet Services to treat all dates submitted to it in form posts on or before 12:00am on Jan. 1, 1970 as being zero time for internal calculation purposes. By default, this option is disabled. |
fatalhtmlparseerrors |
<parse error hex bitmask> | ( [!] <parse error> [ , [!] <parse error> ]* ) |
This option is used to configure which inbound HTML constructs are to be considered "fatal" parsing errors preventing the storage of raw HTML data on the FirstClass Server. See HTML parser errors for a list of parser errors, their bitmask values and whether each is considered "fatal" by default. |
disablenonsecuresharedcontent |
1 | 0 |
This option configures whether X-FC tags that output URLs will output the URLs to shared icons and other shared resources using unsecure HTTP instead of HTTPS. Use of HTTP instead of HTTPS for loading shared resources results in a considerable performance gain with little loss of actual security, but some browsers (notably MSIE) will display a "mixed
content" warning dialog when presented with such a page. By default, this switch is disabled. |
SET options to enable and configure optional features of the Internet Services HTTP server
Option |
Possible Value(s) |
Notes |
enablewebdavfeatures |
<webdav feature hex bitmask> | ( [!] <webdav feature> [ , [!] <webdav feature> ]* ) |
This option is used to enable the WebDAV file protocol on Internet Services, as well as which WebDAV protocol features are to be supported. See WebDAV features for a list of WebDAV features, their bitmask values and whether or not they are enabled by default. |
proppatchmultistatusresponse |
1 | 0 |
This option is used to set whether Internet Services responds to successful WebDAV PROPPATCH commands with a 207/Multi-Status response or a 200/OK. The most recent versions of the WebDAV spec suggest that the correct response is the 207 response (see RFC 4918 section 9.2), and so this is Internet Services' default behaviour. There are
some WebDAV clients, most notably the WebDAV consortium's own test package, "litmus", which do not correctly handle a multi-status response to a successful PROPPATCH command. For such clients, set this switch to "0". An unsuccessful PROPPATCH command will always result in a 207/Multi-Status response detailing which property update(s) caused the failure. |
webdavobjectfilter |
<webdav object type list filter bitmask> | ( [!] <object type> [ , [1] <object type> ]* ) |
This option is used to filter the results returned by the WebDAV PROPFIND command. This can allow undesired object types to be masked from WebDAV in order to encourage users to keep their files in specific locations. |
httpclientenable |
enable | disable | auth |
This option is used to enable or disable Internet Services' HTTP Client module. The "auth" switch only allows the HTTP Client module to be used if the user is logged in. The default value for this option is "auth". |
httpclientauthenitcation |
all | none | basic | digest |
This option is used to configure which HTTP authentication mechanisms Internet Services will use when using the HTTP Client module. The value "all" will cause Internet Services to use whatever HTTP authentication mechanism it can. The value "none" will prevent Internet Services from using any authentication in the
HTTP Client module. The value "basic" will force Internet Services to use HTTP Basic authentication only in the HTTP Client module. The value "digest" will force Internet Services to use HTTP Digest authentication only in the HTTP Client module. The default value for this option is "digest". |
httpclientacceptcookies |
no | session |
This option is used to configure whether or not the HTTP Client module will persist cookies returned from requests for the duration of the user's logged in session. The default value for this option is session. |
httpclientwebdav |
1 | 0 |
This option is used to configure whether or not the HTTP Client module will support WebDAV commands. The default value for this option is enabled. |
httpclientwhitelist httpclientblacklist |
<list name> <list name> |
The httpclientwhitelist and httpclient blacklist options are used to restrict which sites the HTTP Client module can make requests of. Only one of these two switches can be used at a time. If whitelisting is configured, then Internet Services will only allow the HTTP Client module to connect to domains/IP addresses contained in the white list. If blacklisting is used, Internet Services will allow the HTTP Client module to connect to any domain/IP address NOT contained in the black list. Whitelists and blacklists are FC documents living in the Internet Services "Filters" folder, and have the same format as other filter documents in that folder. HTTP Client filter documents should have names starting with "httpclient." to identify that they are not to be used as SMTP filters. By default, Internet Services does not restrict which sites the HTTP Client module can connect to. |
httpclientsecurelist |
<list name> |
The httpclientsecurelist option is used to identify sites that the HTTP Client module should only connect to if the site provides a secure connection encrypted using a valid SSL certificate. A Secure list is an FC document living in the Internet Services "Filters" folder, and has the same format as other filter documents in that folder. HTTP Client filter documents should have names starting with "httpclient." to identify that they are not to be used as SMTP filters. In the event that this option is used in conjunction with whitelisting, a site that appears in the secure list is automatically considered whitelisted. The converse is not true, however (i.e. if blacklisting is in use, a site that appears in the black list and the secure list is still blacklisted). By default, Internet Services does not require secure connections to any site when using the HTTP Client, nor does it validate the SSL certificates of sites it does
connect to securely. |
httpclientttl |
<number of seconds> |
This option is used to configure how long Internet Services will retain the results of a given HTTP Client operation in memory after the completion of that operation. By default, Internet Services will persist the results of HTTP Client operations for 300 seconds (5 minutes) for operations performed by authenticated users, and for 5 seconds for operations performed by unauthenticated users. |
SET options to configure how Internet Services interacts with the FirstClass server
Option |
Possible Value(s) |
Notes |
clientlogintype |
<mode number> |
This option is used to control what kind of web client the currently selected interface reports itself as when it logs into the FirstClass server. At present, the options are 0 (the default), which is traditional FirstClass, and 1, which is BlueField/OTSM. |
Authentication modes
The following are the various authentication modes supported by Internet Services version 10.0, along with their bit values and default enabled states.
Use with the allowedauthmodes, addauthmodes, and removeauthmodes SET switches.
Tokens are processed in the order they occur, left to right, so it is possible to start with a collection of auth modes and then disable some by using the not token (!).
For instance, an allowedauthmodes value of "Form_Login, Allow_Saved_Password, !Session_Key_URLHash" would have a net enabled value of 0x1BC0, or all the form modes (0x03C0), the saved password mode (0x1000) and cookie based session keys (0x0800), but not URLHash based session keys (0x0400), despite the fact that they are enabled by the Form_Login switch, because they were subsequently turned off by the !Session_Key_URLHash token.
Switch |
Bit Value (Hex) |
Enabled |
Notes |
Browser_Basic |
0x0001 |
yes |
RFC2616 Browser Basic auth. Highly insecure, it is recommended that this auth mode be disabled if not using SSL. |
Browser_Digest |
0x0002 |
yes |
RFC2617 Browser Digest auth (MD5-Sess). Very secure, but support is buggy in several high-profile HTTP clients (FireFox, MS WebDAV Redirector) |
URLParam_PlainText |
0x0004 |
yes |
Plain text password passed in an URL parameter. Utterly insecure, even when using SSL. DO NOT use this unless you have no security concerns at all. |
URLParam_MD5 |
0x0008 |
yes |
MD5 digest password passed in an URL parameter. Fairly secure, but usually better to use Form_MD5 if possible to hide the digest. |
URLParam_SHA1 |
0x0010 |
yes |
SHA1 digest password passed in an URL parameter. Slightly better security than MD5, but better still to use Form_SHA1 if possible. |
URLParam_Ticket |
0x0020 |
yes |
Ticket supplied by some non-Internet Services app, passed in an URL parameter. Quality of security depends on how good the ticket is, but depending on how long the ticket is good for, if it is multi-use, it may be dangerous to allow the browser to put it in the History. Use Form_Ticket instead to prevent this. |
Form_PlainText |
0x0040 |
yes |
Plain text password passed in a form POST. Not secure, but may be required to support non-JavaScript enabled devices. Mitigate the risk by using SSL. |
Form_MD5 |
0x0080 |
yes |
MD5 digest passed in a form POST. Good security. |
Form_SHA1 |
0x0100 |
yes |
SHA1 digest passed in a form POST. Best auth mechanism that does not require browser support. |
Form_Ticket |
0x0200 |
yes |
Ticket supplied by some non-Internet Services app, passed in a form POST. Security quality depends on how good the ticket is. |
Session_Key_URLHash |
0x0400 |
yes |
Session keys may be persisted in the "Login" URL. Not very secure, but may be necessary to allow cross-app URL passing and for clients that have disabled or don't support cookies. |
Session_Key_Cookie |
0x0800 |
yes |
Session keys may be persisted in cookies. More secure than Session_Key_URLHash, though still a risk if not used in conjunction with SSL. |
Allow_Saved_Passwords |
0x1000 |
yes |
Saved SHA1 two stage digest password, requires that either Form_SHA1 or URLParam_SHA1 be active. |
Browser_All |
0x0003 |
N/A |
Enables all Browser native auth modes (Basic & Digest) |
URLParam_All |
0x003C |
N/A |
Enables all URL Parameter auth modes |
Form_All |
0x03C0 |
N/A |
Enables all Form auth modes |
Session_Key_All |
0x0C00 |
N/A |
Enables all Session Key modes |
URLParam_Login |
0x0C3C |
N/A |
Enables all URL Parameter and Session Key auth modes |
Form_Login |
0x0FC0 |
N/A |
Enables all Form and Session Key auth modes |
Legacy_91 |
0x1FFE |
N/A |
Enables all auth modes that were available in Internet Services version 9.1 |
Secure |
0x0B20 |
N/A |
Enables a set of auth modes that provides decent security while still being supported by most template sets and HTTP clients. Extremely secure if used in conjunction with SSL to encrypt authenticated sessions' connections, but may have some issues with less capable user-agents and older template sets, as well as poor interoperability for embedded content not natively supported by web browsers (such as audio & video). |
None |
0x0000 |
N/A |
Disables all auth modes. Useful if starting with allowedauthmodes set to nothing enabled and then turning on selected auth modes using the addauthmodes switch. |
Any |
0x7FFF |
N/A |
Enables all auth modes. |
Default |
0x7FFF |
N/A |
Enables the default set of auth modes (at present this is all auth modes, but that may change in future releases). |
Some notes on auth modes
The URLParam and Form auth modes require the use of at least one of the Session_Key modes in order to persist a session. Failure to enable at least one session key switch will cause your session to be logged out after a single hit, requiring reauthentication before a second HTTP request can be made. This is effectively non-functional in any kind of modern environment. The downside for using non browser native session keys is that they cannot easily be made dynamic (ie the same session key is used on every request), meaning that they are vulnerable to being "snooped" by an attacker, who could then hijack the user's session. Of the two session key mechanisms supported, Session_Key_URLHash allows the best interoperability for passing URLs to authenticated domain objects between applications, but is the most
vulnerable to snooping, since the session key is stored in the URL itself. Session_Key_Cookie keeps the session key out of sight, but can not be passed between applications and can still be snooped using a packet sniffer such as WireShark. Session key snooping using a packet sniffer can be prevented by using SSL to encrypt the browser to Internet Services connection.
The Browser_Digest is the best auth mode (in terms of security) for non-browser clients that are not using HTTP to render the web interface (such as WebDAV clients), and also provides the best security for non-SSL protected browser connections. It combines the use of a secure digest password hashing algorithm (MD5) with a protocol driven dynamic session key mechanism that is immune to penetration using a packet sniffer. Unfortunately, despite its benefits, it has two major flaws. The first is the flaw common to all HTTP defined auth modes, which is the lack of a logout command, meaning that a user's credentials are persisted by the client indefinitely (generally until the client app is closed). This means that if a user walks away from their computer without closing their browser, anyone can come along and get back into
their account, even if the web interface's "logout" button has been pressed. The lack of a protocol level logout command means that there is no way to cause the user-agent to "forget" the currently logged in user short of shutting it down (something not even possible in most public access or "library" terminals). The second serious flaw is that HTTP digest authentication is poorly implemented by many HTTP clients, rendering it non-functional. Regrettably, this is particularly true of WebDAV clients, which have no choice but to use the RFC defined auth mechanisms. Of the dozen or so WebDAV clients tested by the Internet Services team during development, only the Macintosh OSX 10.5 Finder and MS Office 2007 on Windows XP had fully functional HTTP Digest implementations for their WebDAV modules. Of the major browsers, FireFox has a long standing bug in its HTTP Digest implementation (see Bugzilla 270447), rendering it non-functional. Microsoft's Internet Explorer and Apple's Safari
both have working HTTP digest implementations in their recent versions.
The best security currently available for browsers running the web interface is achieved by using Form_SHA1 and Session_Key_Cookie over an SSL protected connection.
Form authentication is generally more secure than URL Parameter authentication, because the latter can result in credentials being stored in the browser history. While this is not so bad for digest based credentials, since Internet Services will only allow a given digest challenge string to be used once to prevent replay attacks, allowing a plaintext password to go into the browser history is tantamount to announcing it to the whole world. Some tickets may also have long shelf lives and allow multiple uses, meaning that allowing the browser to save them in its history is not a good idea from a security perspective.
HTML parser errors
The following are the errors that the Internet Services version 10.0 HTML parser is set up to detect, along with their bit values and whether or not they are considered "fatal" (i.e. just grounds for not storing the raw HTML).
In the event that a "fatal" HTML parser error is detected, Internet Services will store a digested version of the HTML content, rather than the original HTML stream. Parser errors come in two general classes, errors caused by syntax errors in the inbound HTML markup, possibly causing page errors or incorrect rendering when output, and warnings about the use of HTML features that may pose a security or privacy risk, such as running scripts, or accessing content on external servers.
The default set of "fatal" parser errors is fairly strict, rejecting all HTML that is malformed, not renderable by the FC client, or contains suspicious external content.
Use with the fatalhtmlparseerrors SET switch.
Tokens are processed in the order they occur, left to right, so it is possible to start with a collection of fatal errors and then disable some by using the not token (!).
Flag |
Bit Value (Hex) |
Enabled |
Notes |
Error_UnknownTags |
0x00000001 |
yes |
Indicates that the content contains tags unknown to the Internet Services HTML parser. Internet Services currently knows about all the tags in the HTML 4/XHTML 1.1 specs, plus the more common browser extensions. Internet Services is not a full fledged XML parser (it does not do DTD lookups or validations), it only does
HTML. |
Error_Malformed |
0x00000002 |
yes |
Content contains malformed markup (unclosed tags, illegal characters etc...) |
Error_InvalidTable |
0x00000004 |
no |
Content contains malformed HTML tables |
Warning_ExternCSS |
0x00010000 |
yes |
Content references one or more external stylesheets (medium privacy/phishing/XSRF risk) |
Warning_ExternImages |
0x00020000 |
yes |
Content references one or more external images (medium privacy/phishing/XSRF risk) |
Warning_Script |
0x00040000 |
yes |
Content has scripts (low security risk, not renderable by FC client) |
Warning_Forms |
0x00080000 |
yes |
Content has HTML forms (low security risk, not renderable by FC client) |
Warning_Framesets |
0x00100000 |
yes |
Content has HTML framesets (not renderable by FC client, may be a security and/or privacy risk if frames reference external sites) |
Warning_IFrames |
0x00200000 |
yes |
Content has HTML iframes or ilayers (not renderable by FC client, may be a security and/or privacy risk if frames reference external sites) |
Warning_EmbeddedApp |
0x00400000 |
yes |
Content has embedded applications or applets (medium-high security risk - this is running arbitrary code on the users' machines without asking, could be a virus) |
Warning_ImageMaps |
0x00800000 |
yes |
Content has HTML image maps (not renderable by FC client, may be a security and/or privacy risk if maps reference external sites) |
Warning_ExternEmbeddedApp |
0x01000000 |
yes |
Content has external embedded applications or applets (high security risk - same risks as EmbeddedApp, plus the app(s) are coming from external server(s)) |
Warning_UnsupportedTags |
0x80000000 |
yes |
Content has HTML tags not supported by the Internet Services parser |
Errors |
0x00000007 |
N/A |
Rejects all malformed or invalid HTML |
ClientCompatible |
0x81FF0003 |
N/A |
Rejects anything that the FC client can't handle |
ExternalContent |
0x01070000 |
N/A |
Rejects anything that references external web sites |
None |
0x00000000 |
N/A |
Accepts all HTML content without sanitizing |
All |
0xFFFFFFFF |
N/A |
Accepts no "sanitized" HTML content |
Default |
0x81FF0003 |
N/A |
Sets the default set of parser errors (at present, this is the same as ClientCompatible) |
WebDAV features
The following are the WebDAV features supported by Internet Services version 10.0, along with their bit values and default enabled states.
Use with the enablewebdavfeatures SET switch.
Tokens are processed in the order they occur, left to right, so it is possible to start with a collection of features and then disable some by using the not token (!).
Feature |
Bit Value (Hex) |
Enabled |
Notes |
WebDAV_Basic |
0x0001 |
yes |
This enables the basic WebDAV protocol. All other switches require that this one be turned on in order to function. |
WebDAV_Locking |
0x0002 |
yes |
This enables the optional locking part of the basic WebDAV specification (see RFC 4918 section 18). |
Disabled |
0x0000 |
N/A |
Completely disables WebDAV |
All |
0xFFFF |
N/A |
Enables all currently supported WebDAV features |
Default |
0x0003 |
N/A |
Enables the default set of WebDAV features |
WebDAV object filter types
Object Type |
Bit Value (Hex) |
Enabled |
Notes |
Conferences |
0x00000001 |
yes |
Includes typed conferences, such as calendars & communities |
Folders |
0x00000002 |
yes |
Includes typed folders, such as ContactDBs |
Files |
0x00000010 |
yes |
|
Calendars |
0x00010000 |
yes |
|
ContactDBs |
0x00020000 |
yes |
|
Communities |
0x00040000 |
yes |
Open Text Social Workplace (OTSW) users only |
All |
0xFFFFFFFF |
N/A |
|
None |
0x00000000 |
N/A |
|
Default |
0x00000013 |
N/A |
Default filter is all conferences, all folders and all files |
Calendar options
The following are the default calendar rendering options supported by Internet Services version 10.0, along with their default enabled states.
Use with the calendaroptions SET switch
Tokens are processed in the order they occur, left to right, so it is possible to start with a collection of options and then disable some by using the not token (!).
Option |
Bit Value (Hex) |
Enabled |
Notes |
VerboseFieldData |
0x0001 |
no |
Store limited set of calculated calendar data in field data instead of calendar structures (must be accessed via X-FC-FIELD instead of X-FC-CALENDAR-ITEM) |
FirstDayOfWeek |
0x0002 |
yes |
Honour the user's "First day of week" preference when calculating time brackets for calendar views |
AllDayEvents |
0x0004 |
yes |
Calculate all-day events |
PunchThrough |
0x0008 |
yes |
Import items from sub-calendars ("punch-through" calendaring) |
MonthViewDaySpan |
0x0010 |
no |
Compute column span information for events in month view |
IncludeAllItems |
0x0020 |
no |
Include all types of items in all calendar views |
Legacy55 |
0x0021 |
N/A |
The set of calendar options used by templates released with FC versions prior to 7.0 |
Legacy70 |
0x0022 |
N/A |
The set of calendar options used by templates released with FC version 7.0 up to but not including version 8.0 |
Legacy80 |
0x0026 |
N/A |
The set of calendar options used by templates released with FC version 8.0 up to but not including version 9.0 |
Default |
0x000E |
N/A |
The default set of calendar options |
| |
