Quoting bug

  • Resolved srtydrts

    (@srtydrts)


    6 years, 5 months ago

    Hello,

    there is a little bug in the plugin.

    1)
    In referrer policy, values are extra quoted

    For example in chrome it says:

    Failed to set referrer policy: The value ‘”origin”‘ is not one of ‘no-referrer’, ‘no-referrer-when-downgrade’, ‘origin’, ‘origin-when-cross-origin’, ‘same-origin’, ‘strict-origin’, ‘strict-origin-when-cross-origin’, or ‘unsafe-url’. The referrer policy has been left unchanged.

    The solution probably is to replace this:

    return $htaccess ? ‘Referrer-Policy “‘.$policy.'”‘ : ‘Referrer-Policy: “‘.$policy.'”‘;

    by this:

    return $htaccess ? ‘Referrer-Policy ‘.$policy : ‘Referrer-Policy: ‘.$policy;

    in core/objects/core.headers.php file

    2)
    http headers values should not be quoted as well. I. e. the latter one is correct. I think the first might not be understood by a web browsers:

    strict-transport-security: “max-age=31536000”
strict-transport-security: max-age=31536000

    3)
    Also, how about adding “preload” option for “strict-transport-security” header?

    thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Milan Petrovic

    (@gdragon)

    6 years, 5 months ago

    Thabks for reporting, but I can’t reproduce the issue. I will test some more.

    Thread Starter srtydrts

    (@srtydrts)

    6 years, 5 months ago

    You don’t need to reproduce it – I wrote where exactly to fix it. Here is a diff of what I use:

    @@ -78,10 +78,10 @@
         $max_age = gdsih_settings()->get('strict_transport_security_max_age', 'headers');

         if (gdsih_settings()->get('strict_transport_security_extra', 'headers') == 'includeSubDomains') {
-            $max_age.= '; includeSubDomains';
+            $max_age.= '; includeSubDomains; preload';
         }

-        return $htaccess ? 'Strict-Transport-Security "max-age='.$max_age.'"' : 'Strict-Transport-Security: "max-age='.$max_age.'"';
+        return $htaccess ? 'Strict-Transport-Security max-age='.$max_age.'' : 'Strict-Transport-Security: max-age='.$max_age.'';
     }

     private function _generate_referrer_policy($htaccess = false) {
@@ -93,6 +93,6 @@
             $policy = 'no-referrer-when-downgrade';
         }

-        return $htaccess ? 'Referrer-Policy "'.$policy.'"' : 'Referrer-Policy: "'.$policy.'"';
+        return $htaccess ? 'Referrer-Policy '.$policy.'' : 'Referrer-Policy: '.$policy.'';
     }
 }
    Anonymous User 15232381

    (@anonymized-15232381)

    6 years, 3 months ago

    Hi Milan,

    Any progress on the quotes issue?

    Best regards,
    Peter

    Plugin Author Milan Petrovic

    (@gdragon)

    6 years ago

    Fixed in 1.3.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Quoting bug’ is closed to new replies.