Content-Security-Policy update troubles Admin buttons
- Posts: 36
- Thank you received: 0
- Home
- /
- Forum
- /
- Securitycheck Pro
- /
- Bug report
- /
- I think that some google organic search incoming
Content-Security-Policy update troubles Admin buttons
- Timeforsmilin
-
Topic Author
- Offline
- Junior Boarder
-
Less
More
1 year 10 months ago #6130
by Timeforsmilin
Replied by Timeforsmilin on topic Content-Security-Policy update troubles Admin buttons
Hey Jose,
I ended up finding a thread about CSP and internal settings on Github, so I joined to participate. I had returned my htaccess to the original Joomla version, and the two CSP checking sites both still showed the 2 unsafe inline entries, along with an X-frame entry. I asked them where they had this hidden in Joomla, since I had disabled yours. They did provide me a plugin for Joomla 3.X, but they are integrating that with Joomla 4, and didn't like me suggesting they had hidden it in code, so they closed the thread.
Here are my settings:
## Begin Securitycheck Pro Xframe-options protection
## Don't allow any pages to be framed - Defends against CSRF
<IfModule mod_headers.c>
Header set X-Frame-Options SAMEORIGIN
</IfModule>
## End Securitycheck Pro Xframe-options protection
## Begin Securitycheck Pro Prevent mime based attacks
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
</IfModule>
## End Securitycheck Pro Prevent mime based attacks
## Begin Securitycheck Pro Strict Transport Security
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>
## End Securitycheck Pro Strict Transport Security
## Begin Securitycheck Pro X-Xss-Protection
<IfModule mod_headers.c>
Header set X-Xss-Protection "1; mode=block"
</IfModule>
## End Securitycheck Pro X-Xss-Protection
## Begin Securitycheck Pro Content-Security-Policy protection
#<IfModule mod_headers.c>
#Header set Content-Security-Policy "default-src 'self' corporateone.ca; img-src 'self'; style-src 'self'; connect-src 'self'; sandbox 'allow-same-origin';"
#</IfModule>
## End Securitycheck Pro Content-Security-Policy protection
## Begin Securitycheck Pro Referrer policy protection
<IfModule mod_headers.c>
Header set Referrer-Policy "strict-origin"
</IfModule>
## End Securitycheck Pro Referrer policy protection
## Begin Securitycheck Pro Feature policy protection
<IfModule mod_headers.c>
Header set Feature-Policy "push 'self'"
</IfModule>
## End Securitycheck Pro Referrer policy protection
You can see that I have commented out my content-security-policy settings so that my admin buttons work.
content-security-policy.com/
If you enter corporateone.ca in here, you will see the duplicate entries for X-frame, but it probably won't complain about duplicate CSP entries since I have had to disable mine. This same site, or one of the other reference sites suggest the inline statements as being poor entries.
Louis
I ended up finding a thread about CSP and internal settings on Github, so I joined to participate. I had returned my htaccess to the original Joomla version, and the two CSP checking sites both still showed the 2 unsafe inline entries, along with an X-frame entry. I asked them where they had this hidden in Joomla, since I had disabled yours. They did provide me a plugin for Joomla 3.X, but they are integrating that with Joomla 4, and didn't like me suggesting they had hidden it in code, so they closed the thread.
Here are my settings:
## Begin Securitycheck Pro Xframe-options protection
## Don't allow any pages to be framed - Defends against CSRF
<IfModule mod_headers.c>
Header set X-Frame-Options SAMEORIGIN
</IfModule>
## End Securitycheck Pro Xframe-options protection
## Begin Securitycheck Pro Prevent mime based attacks
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
</IfModule>
## End Securitycheck Pro Prevent mime based attacks
## Begin Securitycheck Pro Strict Transport Security
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>
## End Securitycheck Pro Strict Transport Security
## Begin Securitycheck Pro X-Xss-Protection
<IfModule mod_headers.c>
Header set X-Xss-Protection "1; mode=block"
</IfModule>
## End Securitycheck Pro X-Xss-Protection
## Begin Securitycheck Pro Content-Security-Policy protection
#<IfModule mod_headers.c>
#Header set Content-Security-Policy "default-src 'self' corporateone.ca; img-src 'self'; style-src 'self'; connect-src 'self'; sandbox 'allow-same-origin';"
#</IfModule>
## End Securitycheck Pro Content-Security-Policy protection
## Begin Securitycheck Pro Referrer policy protection
<IfModule mod_headers.c>
Header set Referrer-Policy "strict-origin"
</IfModule>
## End Securitycheck Pro Referrer policy protection
## Begin Securitycheck Pro Feature policy protection
<IfModule mod_headers.c>
Header set Feature-Policy "push 'self'"
</IfModule>
## End Securitycheck Pro Referrer policy protection
You can see that I have commented out my content-security-policy settings so that my admin buttons work.
content-security-policy.com/
If you enter corporateone.ca in here, you will see the duplicate entries for X-frame, but it probably won't complain about duplicate CSP entries since I have had to disable mine. This same site, or one of the other reference sites suggest the inline statements as being poor entries.
Louis
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Moderator
-
Less
More
- Posts: 3908
- Karma: 25
- Thank you received: 302
1 year 10 months ago #6131
by Jose
Replied by Jose on topic Content-Security-Policy update troubles Admin buttons
Hi Louis,
I have checked your website with https://securityheaders.com and you're right: there was a duplicate X-Frame-Options header. But believe me when I say this is not caused by my extension (unless there is a bug I haven't found yet). Passing your .htaccess settings you would not get this warning because there is only an X-Frame-Options... Could there be other extension causing this issue?
Regarding to the unsafe inline entries this depends of your needs; when I set a restrictive CSP in my website I got some issues, so I also applied the unsafe-inline directive. I know this is not the optimal solution but it remains my site usable (for me and for my customers).
Regards,
Jose
I have checked your website with https://securityheaders.com and you're right: there was a duplicate X-Frame-Options header. But believe me when I say this is not caused by my extension (unless there is a bug I haven't found yet). Passing your .htaccess settings you would not get this warning because there is only an X-Frame-Options... Could there be other extension causing this issue?
Regarding to the unsafe inline entries this depends of your needs; when I set a restrictive CSP in my website I got some issues, so I also applied the unsafe-inline directive. I know this is not the optimal solution but it remains my site usable (for me and for my customers).
Regards,
Jose
Please Log in or Create an account to join the conversation.
- Timeforsmilin
-
Topic Author
- Offline
- Junior Boarder
-
Less
More
- Posts: 36
- Thank you received: 0
1 year 10 months ago #6132
by Timeforsmilin
Replied by Timeforsmilin on topic Content-Security-Policy update troubles Admin buttons
Hi Jose,
I think that the only extension I have installed outside of yours, is Phoca Maps. I keep the site up to date for security, but don't really use it for anything any longer.
Thanks,
Louis
I think that the only extension I have installed outside of yours, is Phoca Maps. I keep the site up to date for security, but don't really use it for anything any longer.
Thanks,
Louis
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Moderator
-
Less
More
- Posts: 3908
- Karma: 25
- Thank you received: 302
1 year 10 months ago #6133
by Jose
Replied by Jose on topic Content-Security-Policy update troubles Admin buttons
Hi Louis,
If there are no other extensions and no duplicate entries for X-frame into the .htaccess then I can't explain why do you get the duplicate content, but believe me when I say there is no hidden fields nor other invisible tricks to add code. The software is GPL and everyone can audit it.
Regards,
Jose
If there are no other extensions and no duplicate entries for X-frame into the .htaccess then I can't explain why do you get the duplicate content, but believe me when I say there is no hidden fields nor other invisible tricks to add code. The software is GPL and everyone can audit it.
Regards,
Jose
Please Log in or Create an account to join the conversation.
- Timeforsmilin
-
Topic Author
- Offline
- Junior Boarder
-
Less
More
- Posts: 36
- Thank you received: 0
1 year 10 months ago #6134
by Timeforsmilin
Replied by Timeforsmilin on topic Content-Security-Policy update troubles Admin buttons
Hi Jose,
I don't think you have any hidden fields. I had thought that maybe it was hard coded into Joomla, much like we used to have to change php.ini settings to override some insecure default settings coded in.
As you know, I have your software to protect the public from my website, and it does a great job of that! No one has uploaded anything that could infect another user since. Thank you!
Louis
I don't think you have any hidden fields. I had thought that maybe it was hard coded into Joomla, much like we used to have to change php.ini settings to override some insecure default settings coded in.
As you know, I have your software to protect the public from my website, and it does a great job of that! No one has uploaded anything that could infect another user since. Thank you!
Louis
Please Log in or Create an account to join the conversation.
- Timeforsmilin
-
Topic Author
- Offline
- Junior Boarder
-
Less
More
- Posts: 36
- Thank you received: 0
1 year 10 months ago #6135
by Timeforsmilin
Replied by Timeforsmilin on topic Content-Security-Policy update troubles Admin buttons
Hey Jose,
I found it! My host had another htaccess file in the root, outside of the public_html directory that Joomla is installed in. I edited and disabled the duplicate entries in there, and no longer have the unsafe entries, and my buttons are working! I am using a different entry for content-security-policy.
Cheers, Louis
I found it! My host had another htaccess file in the root, outside of the public_html directory that Joomla is installed in. I edited and disabled the duplicate entries in there, and no longer have the unsafe entries, and my buttons are working! I am using a different entry for content-security-policy.
Cheers, Louis
Please Log in or Create an account to join the conversation.
Time to create page: 0.104 seconds