Additional Characters

  • Resolved blueskywebdesign

    (@blueskywebdesign)


    6 months, 1 week ago

    Hello. Hope you are well. I have been using your plugin for some time now. Thanks.

    In this latest updated I noticed that the plugin added addtional characters to some of the policies, specifically ‘self’, ‘none’ ‘unsafe-inline’ and ‘unsafe-eval’. See below.

    PLUGIN
    Contributors: unicorn03, unicorn07, erku, alexclassroom,
    Donate link: https://www.buymeacoffee.com/tentacleplugins
    Tags: headers security, hsts, headers, clickjacking, csp
    Requires at least: 4.7
    Tested up to: 6.8.1
    Stable tag: 5.1.1

    MY CSP

    report-to endpoint;
    upgrade-insecure-requests;
    frame-ancestors ‘self’;
    object-src ‘none’;
    worker-src ‘self’ blob:;
    child-src ‘self’ blob:;
    font-src ‘self’ data: https://*.gstatic.com;
    img-src ‘self’ data: https://*.gravatar.com https://*.w.org https://*.elegantthemes.com;
    default-src ‘self’;
    media-src ‘self’;
    form-action ‘self’;
    style-src ‘self’ ‘unsafe-inline’ https://*.googleapis.com;
    frame-src ‘self’ https://*.google.com;
    connect-src ‘self’ https://*.elegantthemes.com https://*.digitaloceanspaces.com https://cloudflareinsights.com;
    script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https://*.google.com https://*.gstatic.com https://*.cloudflareinsights.com;

    My .htaccess file

    BEGIN Headers Security Advanced & HSTS WP 5.1.1


    Header set Access-Control-Allow-Methods “GET,POST”
    Header set Access-Control-Allow-Headers “Content-Type, Authorization”
    Header set Content-Security-Policy “report-to endpoint; upgrade-insecure-requests; object-src \’none\’; worker-src \’self\’ blob:; child-src \’self\’ blob:; font-src \’self\’ data: https://.gstatic.com; img-src \’self\’ data: https://.gravatar.com https://.w.org https://.elegantthemes.com; default-src \’self\’; media-src \’self\’; form-action \’self\’; style-src \’self\’ \’unsafe-inline\’ https://.googleapis.com; frame-src \’self\’ https://.google.com; connect-src \’self\’ https://.elegantthemes.com https://.digitaloceanspaces.com https://cloudflareinsights.com; script-src \’self\’ \’unsafe-inline\’ \’unsafe-eval\’ https://.google.com https://.gstatic.com https://*.cloudflareinsights.com;”
    Header set Cross-Origin-Embedder-Policy “unsafe-none; report-to=\’default\'”

    On a test site, I removed the plugin (via ssh), rebuilt the .htaccess file to the wordpress defaults. I logged in to the site, downloaded a fresh copy of your plugin and the problem returned once I activated the plugin. The only way to solve it was to manually edit the .htaccess file and make the appropiate “delete” of the addtional character.

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Andrea Ferro

    (@unicorn03)

    6 months, 1 week ago

    Hi @blueskywebdesign,

    Thank you for this thread and for using the plugin for so long. My name is Andrea and I will help you resolve your issue as quickly as possible.

    Last night I updated the plugin to the latest version, 5.1.2, and if you can confirm my understanding of the issue you are experiencing, I will release the update immediately so we can resolve the problem.

    In practice, in the latest version, an escape is performed:
    ‘self’ – ‘unsafe-inline’ – ‘unsafe-eval’ – ‘none’ (but these values must not perform the escape)

    Input:  default-src ‘self’; script-src ‘self’ ‘unsafe-inline’
    Output: default-src ‘self’; script-src ‘self’ ‘unsafe-inline’

    Single apices NOT escaped

    Permissions-Policy con URL:

    Input: microphone=(self “https://example.com”) 
    Output: microphone=(self\”https://example.com\”) 

    Escaped double quotation marks

    Plugin Author Andrea Ferro

    (@unicorn03)

    6 months, 1 week ago

    Hi @blueskywebdesign,

    Thank you for reporting this issue. You were absolutely correct, the plugin was incorrectly escaping single quotes in CSP directives.

    Issue confirmed
    The plugin was escaping both double quotes and single quotes, which caused CSP keywords like 'self''unsafe-inline', and 'unsafe-eval' to be escaped as \'self\', breaking the Content Security Policy functionality.

    Fixed in Version 5.1.2
    The escaping logic has been corrected to only escape double quotes (needed for Permissions-Policy URLs) while preserving single quotes (required for CSP directive keywords).

    Testing completed
    The fix has been thoroughly tested with:

    • CSP directives: default-src 'self'; script-src 'self' 'unsafe-inline' Single quotes preserved (not escaped) 
    • Permissions-Policy: microphone=(self "https://exampledomain.com") Double quotes properly escaped in .htaccess, correctly rendered in browser

    How to updatee

    1. Download or update version 5.1.2
    2. Go to Settings → Headers Security Advanced & HSTS WP
    3. Click “Save Changes” to regenerate the .htaccess with correct syntax

    Your CSP directives with single quotes will now work correctly without being escaped.

    I hope I’ve solved your problem and that you enjoyed the support.
    Thank you for helping improve the plugin!

    Thread Starter blueskywebdesign

    (@blueskywebdesign)

    6 months, 1 week ago

    Good morning. Fix confirmed.

    1. Due to the CSP policy blocking resources (such as style-src and script-src), I found it easier to remove the Headers Security Advanced & HSTP WP entry from the .htaccess file.
    2. Once inside WP, I uploaded the updated plugin via the “Plugins > Add Plugin > Upload Plugin>” Upon activation, the site broke again. I was able to scroll down to the “Plugins > Installed Plugins” section and “deactivate” HSTP. The website returned to normal.
    3. I then reactivated HSTP, and the plugin installed the default .htaccess setting (upgrade-insecure-requests).
    4. I then added my own policy, saved and verified the correct entry to the .htaccess file.

    On a secondary website I repeated step 1. On step 2, I deactivated the plugin, then updated the plugin via the “update plugin” option in WP. The HSTP settings reverted to the default settings.

    Plugin Author Andrea Ferro

    (@unicorn03)

    6 months, 1 week ago

    Hi @blueskywebdesign,

    Thank you for your feedback and for bringing up this topic again, as you have helped to improve an unfortunate bug. If you need further support or information, I am available to resolve the issue as quickly and efficiently as possible.

    Could you confirm that the problem has been resolved on your other sites as well? Thank you.

    I hope I have been of assistance 🙂

    Plugin Author Andrea Ferro

    (@unicorn03)

    6 months, 1 week ago

    Hi @blueskywebdesign,

    To resolve the latest issue with settings not being retained, I have released a second update that completes version 5.1.3 and should resolve two issues.

    • keep the settings
    • have a less restrictive policy for WordPress

    thanks for support

    Thread Starter blueskywebdesign

    (@blueskywebdesign)

    6 months, 1 week ago

    Hi, I see you are busy updating. I got this now in Settings > Headers Security Advanced & HSTS WP

    Refused to apply style from ‘https://domain.com/wp-content/plugins/headers-security-advanced-hsts-wp/assets/css/style-dist.css?ver=5.1.6’ because its MIME type (‘text/html’) is not a supported stylesheet MIME type, and strict MIME checking is enabled.Understand this error
    load-scripts.php?c=0&load%5Bchunk_0%5D=jquery-core,jquery-migrate,utils,wp-polyfill&ver=6.8.3:5

    Plugin Author Andrea Ferro

    (@unicorn03)

    6 months, 1 week ago

    Hi @blueskywebdesign,

    I think it’s only a matter of 10 minutes to see style-dist.css correctly. WordPress regenerates the zip file during this time, and you should no longer see the “Refused to apply style” warning.

    I remain available for further feedback.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Additional Characters’ is closed to new replies.