Dylan
Forum Replies Created
-
Forum: Plugins
In reply to: [WP Content Security Plugin] Disabling REST API breaks error reportingThe plugin used AJAX in the first iterations but with the REST API becoming part of the core it seemed to make sense to switch. You could switch to use a third party logging service such as https://report-uri.com/ though that would still leave the admin system needing REST.
The full URL of any included file will be visible in the HTML source code or in the network tab of your browser, I’m not sure you’re hiding anything unless this is a login restricted part of the site.
I normally just allow ‘self’ as I trust my own site, the plugin will auto-add your domain name too as some browsers do not understand ‘self’ (bugs everywhere!) If you don’t trust your own site I would recommend WordFence which will scan your entire site including non-WP files for issues. I also install Better WP Security too – between them they block the majority of attacks though they slightly overlap.
You could try CSP v3 (uses nonces) which makes the code mark the CSS/JS files as trusted when loaded in the code and so you don’t need to add to CSP policies.
Forum: Plugins
In reply to: [WP Content Security Plugin] jQuery-ui loaded on frontWay ahead of you – that change is being made in the next release, it will only load support files when the pages that need them are loaded.
This plugin does not modify .htaccess, apache.conf, etc. – all headers are sent through PHP.
If you’re using Cloudflare I would guess they are stripping the headers out though their own documentation says they will pass through the headers https://support.cloudflare.com/hc/en-us/articles/216537517-What-is-Content-Security-Policy-CSP-and-how-can-I-use-it-with-Cloudflare-
Is there a way to access your site directly without using cloudflare? It could just be cached data and therefore not reacting to changes you’re making in real time.
I see no CSP headers though I do see the other headers
strict-transport-security:max-age=15552000; includeSubDomains; preload
x-content-type-options:nosniff
x-frame-options:sameorigin
x-xss-protection:1; mode=blockDoes the admin page say CSP is turned off? Try setting CSP headers to report only see if something starts coming out.
Did you check your server error logs, is something showing (might be a PHP compatibility issue)
What’s your site URL – I’ll take a look?Forum: Plugins
In reply to: [WP Content Security Plugin] Logs Showing Wierd Blocked URL’sI have the weird Google domains showing up on a number of sites too. Not sure what they are, probably a tracking pixel for advertising as they seem to be predominately img-src reports. I see you run Google ads on your site, this might be Google trying to find local ads for non-UK visitors.
I see you’re using CSP version 2, have you tried version 3? I was wondering if it worked for you or if you’re happy with version 2. Main difference is nonces used to approve styles and scripts rather than adding domains individually – that might fix your Google domain issue. It’s tricky to implement as some plugins will not work happily with version 3 and you might need to change some of your code.
It looks like you have an error in your CSP:
The source list for Content Security Policy directive ‘img-src’ contains a source with an invalid path: ‘/api/capture?access_key=8df67e5f400883f215f8e8d7a7588bf4&url=https://goo.gl/dLZtta&viewport=414×736&fullpage=1&delay=3’. The query component, including the ‘?’, will be ignored.Did the plugin flag this? If not I might need to add it.
The CSP header changes depending on whether enforced or report only – the header changes to “Content-Security-Policy” or “Content-Security-Policy-Report-Only” – if you check the network tab ensure the enforce version is showing.
Are you testing on v2.3 of the plugin? Version 2.2 would lose the enforce setting. I just checked a site using v2.3 and it’s showing OK on https://securityheaders.io/
no-referrer-when-downgrade is the default if nothing is set. I checked and if nothing is set then no header is added. This might be the testing tool adding its own default in.
Forum: Plugins
In reply to: [WP Content Security Plugin] Enforce policies CSP Mode doesn’t work2.3 is out there with a fix for this issue
Forum: Plugins
In reply to: [WP Content Security Plugin] Enforce policies CSP Mode doesn’t workI pushed version 2.3 with a fix for this, hopefully it will appear soon in the update list soon.
Forum: Plugins
In reply to: [WP Content Security Plugin] Version 2.2 issuesLooks like there’s an “empty()” check on the CSP enabled field, which is 0 for enabled which has caused it to go wonky. I’m working on a fix and will push soon.
Forum: Plugins
In reply to: [WP Content Security Plugin] Version 2.2 issuesThe call to “Internal Test URL Checker” should do a REST call to run a routine on the server which returns the results. Can you check your browser’s network tab to see if this call is having issues?
Forum: Plugins
In reply to: [WP Content Security Plugin] HSTS Preload with includeSubDomainsThis was pushed out in the 2.2 version.
Forum: Plugins
In reply to: [WP Content Security Plugin] HSTS Preload with includeSubDomainsAh got it, had to plug into the canonical filter and redirect one step at a time.
DylanForum: Plugins
In reply to: [WP Content Security Plugin] HSTS Preload with includeSubDomainsI added this to my dev version of the plugin but it’s giving me some issues as the redirect is happening without a HSTS header and redirects from non-WWW to WWW version of domain name i.e. http://mysite.com goes to https://www.mysite.com which apparently is not preferred.
Errors from https://hstspreload.org/:
Error: No HSTS header
Response error: No HSTS header is present on the response.Error: HTTP redirects to www first
http://mysite.com`(HTTP) should immediately redirect to https://mysite.com (HTTPS) before adding the www subdomain. Right now, the first redirect is to https://www.mysite.com/. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.I’m not sure at this point if its because I’m on Amazon ELBs or if it’s something else. I’ll have to move the new code to another non-Amazon server to check.
Dylan