Menu

Topic-icon Content-Security-Policy update troubles Admin buttons

  • Timeforsmilin
  • Timeforsmilin's Avatar Topic Author
  • Offline
  • Junior Boarder
  • Junior Boarder
More
3 months 2 weeks ago #6102 by Timeforsmilin
Hi Jose,

I updated the software today, and saw that the manual entries that I made in the htaccess file now show in the header protection area for content-security-policy. This rendered the admin buttons to save/save&close/close useless. I tested it by commenting out that function, and the buttons regained function. The function was the same with Safari, Chrome, and Firefox.

This is what I have:
default-src 'self' domain.com; img-src 'self'; style-src 'self'; connect-src 'self'; sandbox 'allow-same-origin';

Testing the site here: securityheaders.com , shows no errors, although Joomla has its own content-security-policy and x-frame-options headers that I haven't found, which produces a duplicate error message.

Louis

Please Log in or Create an account to join the conversation.

More
3 months 2 weeks ago #6103 by Jose
Hi Louis,

Where the headers set into the htacess before the update or did you apply them after the update?

There was an error in that policy (Content-Security Policy applied an XSS-Protection header), so if you applied it before try deleting the htacess and apply protection again.

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • Timeforsmilin
  • Timeforsmilin's Avatar Topic Author
  • Offline
  • Junior Boarder
  • Junior Boarder
More
3 months 2 weeks ago #6104 by Timeforsmilin
Replied by Timeforsmilin on topic Content-Security-Policy update troubles Admin buttons
I actually did that as well. I removed the htaccess file, and set the one back that came originally with Joomla, then applied your security and mod-rewrite to it; then I retested commenting out that section, with the same results.

Cheers,
Louis

Please Log in or Create an account to join the conversation.

More
3 months 2 weeks ago #6106 by Jose
I have just tested it and the issue comes due to the settings you set (this is, there is no bug in htaccess protection).

Setting your CSP disables the buttons, but if you set other CSP (for example default-src http: data: 'unsafe-inline' 'unsafe-eval') everything works fine.

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • Timeforsmilin
  • Timeforsmilin's Avatar Topic Author
  • Offline
  • Junior Boarder
  • Junior Boarder
More
3 months 1 week ago #6128 by Timeforsmilin
Replied by Timeforsmilin on topic Content-Security-Policy update troubles Admin buttons
Hi Jose,
<quote>Setting your CSP disables the buttons, but if you set other CSP (for example default-src http: data: 'unsafe-inline' 'unsafe-eval') everything works fine.</quote>

This isn't so. Those directives are set somewhere and somehow that is not visible, and the Joomla developers blame your software for that, as there is a duplicate entry, which the CSP checking sites both complain about. When I disable the good directives, and leave those you have mentioned, which those same sites say are not good, the buttons work.

Louis

Please Log in or Create an account to join the conversation.

More
3 months 1 week ago #6129 by Jose
Hi Louis,

Content-Security policies are set depending of what you set in the extension's field for that and are stored into the .htaccess. This is so and you can check it.

and the Joomla developers blame your software for that

Would you be so kind to clarify this?

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.091 seconds
Powered by Kunena Forum

Login or Sign In