kysil Posted October 25, 2017 Share Posted October 25, 2017 Hello, on Admin CP in Safari browser i have this one error: Quote Failed to set referrer policy: The value 'origin-when-crossorigin' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin' or 'unsafe-url'. Defaulting to 'no-referrer'. in Chrome: How to FIX it? Thank You! Link to comment Share on other sites More sharing options...
kysil Posted October 25, 2017 Author Share Posted October 25, 2017 Nginx rules: add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header X-UA-Compatible "IE=Edge"; add_header Expect-CT 'max-age=3600; enforce; report-uri="https://myips.report-uri.io/r/default/ct/enforce"'; add_header Referrer-Policy "origin-when-crossorigin"; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com www.googletagmanager.com www.google-analytics.com; img-src 'self' data: www.google-analytics.com; style-src 'self' www.google.com fonts.googleapis.com ajax.googleapis.com 'unsafe-inline'; font-src 'self' fonts.gstatic.com; frame-src ciuvo.com; object-src 'none'"; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:AES128-GCM-SHA256:AES128-SHA:!AES256-GCM-SHA384:!AES256-CCM8:!AES256-CCM:!AES128-CCM8:!AES128-CCM:!AES256-SHA256:!CAMELLIA256-SHA256:!AES128-SHA256:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!CAMELLIA128-SHA256:!AES256-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!SRP:!DSS:!RC4"; ssl_prefer_server_ciphers on; ssl_ecdh_curve X25519:secp521r1:secp384r1; If comment out all the rules, the problem still remains. Link to comment Share on other sites More sharing options...
Marcher Technologies Posted October 25, 2017 Share Posted October 25, 2017 https://www.w3.org/TR/referrer-policy/#referrer-policy-origin-when-cross-origin This would appear to be a bug, please submit a ticket so it can be fixed in the relevant admincp template. All other browsers seem to be ignoring the typo present(origin-when-crossorigin is incorrect, it should be origin-when-cross-origin). Link to comment Share on other sites More sharing options...
kysil Posted October 25, 2017 Author Share Posted October 25, 2017 Please send a request someone active client because I do not currently have an active license. Fixed two entries in the Database and one in the Template (application / core / data / theme.xml). Also changed the rule of Nginx to: add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header X-UA-Compatible "IE=Edge"; add_header Expect-CT 'max-age=3600; enforce; report-uri="https://myips.report-uri.io/r/default/ct/enforce"'; add_header Referrer-Policy "origin-when-cross-origin"; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com www.googletagmanager.com www.google-analytics.com; img-src 'self' data: www.google-analytics.com; style-src 'self' www.google.com fonts.googleapis.com ajax.googleapis.com 'unsafe-inline'; font-src 'self' fonts.gstatic.com; frame-src ciuvo.com; object-src 'none'"; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:AES128-GCM-SHA256:AES128-SHA:!AES256-GCM-SHA384:!AES256-CCM8:!AES256-CCM:!AES128-CCM8:!AES128-CCM:!AES256-SHA256:!CAMELLIA256-SHA256:!AES128-SHA256:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!CAMELLIA128-SHA256:!AES256-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!SRP:!DSS:!RC4"; ssl_prefer_server_ciphers on; ssl_ecdh_curve X25519:secp521r1:secp384r1; The problem disappeared into Firefox (56, 64bit) and Safari Technology Preview (Release 42 (Safari 11.1, WebKit 13605.1.10)), but stayed in Safari (11.0) and Chrome (62.0.3202.62) . Safari Chrome Link to comment Share on other sites More sharing options...
bfarber Posted November 21, 2017 Share Posted November 21, 2017 On 10/25/2017 at 6:29 AM, Marcher Technologies said: https://www.w3.org/TR/referrer-policy/#referrer-policy-origin-when-cross-origin This would appear to be a bug, please submit a ticket so it can be fixed in the relevant admincp template. All other browsers seem to be ignoring the typo present(origin-when-crossorigin is incorrect, it should be origin-when-cross-origin). I've reviewed and pushed a patch to adjust this for development review Link to comment Share on other sites More sharing options...
kysil Posted February 6, 2018 Author Share Posted February 6, 2018 On 11/21/2017 at 3:53 PM, bfarber said: I've reviewed and pushed a patch to adjust this for development review Hello, your patch not applied in new the latest version. Link to comment Share on other sites More sharing options...
bfarber Posted February 7, 2018 Share Posted February 7, 2018 It is slated to be released in 4.3.0. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.