- Posts: 33
- Thank you received: 0
- Home
- /
- Forum
- /
- Securitycheck Pro
- /
- Bug report
- /
- Content-Security-Policy update troubles Admin buttons
Content-Security-Policy update troubles Admin buttons
- Timeforsmilin
-
Topic Author
- Offline
- Junior Boarder
-
Less
More
3 months 2 weeks ago #6102
by Timeforsmilin
Content-Security-Policy update troubles Admin buttons was created by Timeforsmilin
Hi Jose,
I updated the software today, and saw that the manual entries that I made in the htaccess file now show in the header protection area for content-security-policy. This rendered the admin buttons to save/save&close/close useless. I tested it by commenting out that function, and the buttons regained function. The function was the same with Safari, Chrome, and Firefox.
This is what I have:
default-src 'self' domain.com; img-src 'self'; style-src 'self'; connect-src 'self'; sandbox 'allow-same-origin';
Testing the site here: securityheaders.com , shows no errors, although Joomla has its own content-security-policy and x-frame-options headers that I haven't found, which produces a duplicate error message.
Louis
I updated the software today, and saw that the manual entries that I made in the htaccess file now show in the header protection area for content-security-policy. This rendered the admin buttons to save/save&close/close useless. I tested it by commenting out that function, and the buttons regained function. The function was the same with Safari, Chrome, and Firefox.
This is what I have:
default-src 'self' domain.com; img-src 'self'; style-src 'self'; connect-src 'self'; sandbox 'allow-same-origin';
Testing the site here: securityheaders.com , shows no errors, although Joomla has its own content-security-policy and x-frame-options headers that I haven't found, which produces a duplicate error message.
Louis
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Moderator
-
Less
More
- Posts: 3106
- Karma: 25
- Thank you received: 261
3 months 2 weeks ago #6103
by Jose
Replied by Jose on topic Content-Security-Policy update troubles Admin buttons
Hi Louis,
Where the headers set into the htacess before the update or did you apply them after the update?
There was an error in that policy (Content-Security Policy applied an XSS-Protection header), so if you applied it before try deleting the htacess and apply protection again.
Regards,
Jose
Where the headers set into the htacess before the update or did you apply them after the update?
There was an error in that policy (Content-Security Policy applied an XSS-Protection header), so if you applied it before try deleting the htacess and apply protection again.
Regards,
Jose
Please Log in or Create an account to join the conversation.
- Timeforsmilin
-
Topic Author
- Offline
- Junior Boarder
-
Less
More
- Posts: 33
- Thank you received: 0
3 months 2 weeks ago #6104
by Timeforsmilin
Replied by Timeforsmilin on topic Content-Security-Policy update troubles Admin buttons
I actually did that as well. I removed the htaccess file, and set the one back that came originally with Joomla, then applied your security and mod-rewrite to it; then I retested commenting out that section, with the same results.
Cheers,
Louis
Cheers,
Louis
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Moderator
-
Less
More
- Posts: 3106
- Karma: 25
- Thank you received: 261
3 months 2 weeks ago #6106
by Jose
Replied by Jose on topic Content-Security-Policy update troubles Admin buttons
I have just tested it and the issue comes due to the settings you set (this is, there is no bug in htaccess protection).
Setting your CSP disables the buttons, but if you set other CSP (for example default-src http: data: 'unsafe-inline' 'unsafe-eval') everything works fine.
Regards,
Jose
Setting your CSP disables the buttons, but if you set other CSP (for example default-src http: data: 'unsafe-inline' 'unsafe-eval') everything works fine.
Regards,
Jose
Please Log in or Create an account to join the conversation.
- Timeforsmilin
-
Topic Author
- Offline
- Junior Boarder
-
Less
More
- Posts: 33
- Thank you received: 0
3 months 1 week ago #6128
by Timeforsmilin
Replied by Timeforsmilin on topic Content-Security-Policy update troubles Admin buttons
Hi Jose,
<quote>Setting your CSP disables the buttons, but if you set other CSP (for example default-src http: data: 'unsafe-inline' 'unsafe-eval') everything works fine.</quote>
This isn't so. Those directives are set somewhere and somehow that is not visible, and the Joomla developers blame your software for that, as there is a duplicate entry, which the CSP checking sites both complain about. When I disable the good directives, and leave those you have mentioned, which those same sites say are not good, the buttons work.
Louis
<quote>Setting your CSP disables the buttons, but if you set other CSP (for example default-src http: data: 'unsafe-inline' 'unsafe-eval') everything works fine.</quote>
This isn't so. Those directives are set somewhere and somehow that is not visible, and the Joomla developers blame your software for that, as there is a duplicate entry, which the CSP checking sites both complain about. When I disable the good directives, and leave those you have mentioned, which those same sites say are not good, the buttons work.
Louis
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Moderator
-
Less
More
- Posts: 3106
- Karma: 25
- Thank you received: 261
3 months 1 week ago #6129
by Jose
Replied by Jose on topic Content-Security-Policy update troubles Admin buttons
Hi Louis,
Content-Security policies are set depending of what you set in the extension's field for that and are stored into the .htaccess. This is so and you can check it.
Regards,
Jose
Content-Security policies are set depending of what you set in the extension's field for that and are stored into the .htaccess. This is so and you can check it.
Would you be so kind to clarify this?and the Joomla developers blame your software for that
Regards,
Jose
Please Log in or Create an account to join the conversation.
Time to create page: 0.091 seconds