Jump to content

The value 'origin-when-crossorigin'

kysil

By kysil
in Classic self-hosted technical help

Recommended Posts

kysil Collaborator

kysil

Posted
Posted

Hello,

on Admin CP in Safari browser i have this one error:

Quote

Failed to set referrer policy: The value 'origin-when-crossorigin' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin' or 'unsafe-url'. Defaulting to 'no-referrer'.

59f050d7076f8_ScreenShot2017-10-25at11_51_44.thumb.png.a8868ac3f2b0ceffd6ad7453e3c751ea.png

59f050ed25240_ScreenShot2017-10-25at11_52_04.thumb.png.edc30ace69144bd2c055603244cab7a6.png

in Chrome:

59f0508271080_ScreenShot2017-10-25at11_49_56.thumb.png.82df6fa499f34cc4a093a9ea46dda104.png

 

How to FIX it?

Thank You!

Link to comment
Share on other sites
kysil Collaborator

kysil

Posted
  • Author
Posted

Nginx rules: 

	add_header	Strict-Transport-Security	"max-age=63072000; includeSubDomains; preload";
	add_header	X-Frame-Options	"SAMEORIGIN";
	add_header	X-Content-Type-Options	"nosniff";
	add_header	X-UA-Compatible	"IE=Edge";
	add_header	Expect-CT	'max-age=3600; enforce; report-uri="https://myips.report-uri.io/r/default/ct/enforce"';
	add_header	Referrer-Policy	"origin-when-crossorigin";
	add_header	Content-Security-Policy	"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com www.googletagmanager.com www.google-analytics.com; img-src 'self' data: www.google-analytics.com; style-src 'self' www.google.com fonts.googleapis.com ajax.googleapis.com 'unsafe-inline'; font-src 'self' fonts.gstatic.com; frame-src ciuvo.com; object-src 'none'";

	ssl_protocols	TLSv1.1	TLSv1.2 TLSv1.3;

	ssl_ciphers	"ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:AES128-GCM-SHA256:AES128-SHA:!AES256-GCM-SHA384:!AES256-CCM8:!AES256-CCM:!AES128-CCM8:!AES128-CCM:!AES256-SHA256:!CAMELLIA256-SHA256:!AES128-SHA256:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!CAMELLIA128-SHA256:!AES256-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!SRP:!DSS:!RC4";

	ssl_prefer_server_ciphers	on;

	ssl_ecdh_curve	X25519:secp521r1:secp384r1;

If comment out all the rules, the problem still remains.

Link to comment
Share on other sites
kysil Collaborator

kysil

Posted
  • Author
Posted

Please send a request someone active client because I do not currently have an active license.

Fixed two entries in the Database and one in the Template (application / core / data / theme.xml). Also changed the rule of Nginx to: 

	add_header	Strict-Transport-Security	"max-age=63072000; includeSubDomains; preload";
	add_header	X-Frame-Options	"SAMEORIGIN";
	add_header	X-Content-Type-Options	"nosniff";
	add_header	X-UA-Compatible	"IE=Edge";
	add_header	Expect-CT	'max-age=3600; enforce; report-uri="https://myips.report-uri.io/r/default/ct/enforce"';
	add_header	Referrer-Policy	"origin-when-cross-origin";
	add_header	Content-Security-Policy	"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com www.googletagmanager.com www.google-analytics.com; img-src 'self' data: www.google-analytics.com; style-src 'self' www.google.com fonts.googleapis.com ajax.googleapis.com 'unsafe-inline'; font-src 'self' fonts.gstatic.com; frame-src ciuvo.com; object-src 'none'";

	ssl_protocols	TLSv1.1	TLSv1.2 TLSv1.3;

	ssl_ciphers	"ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:AES128-GCM-SHA256:AES128-SHA:!AES256-GCM-SHA384:!AES256-CCM8:!AES256-CCM:!AES128-CCM8:!AES128-CCM:!AES256-SHA256:!CAMELLIA256-SHA256:!AES128-SHA256:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!CAMELLIA128-SHA256:!AES256-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!SRP:!DSS:!RC4";

	ssl_prefer_server_ciphers	on;

	ssl_ecdh_curve	X25519:secp521r1:secp384r1;


The problem disappeared into Firefox (56, 64bit) and Safari Technology Preview (Release 42 (Safari 11.1, WebKit 13605.1.10)), but stayed in Safari (11.0) and Chrome (62.0.3202.62) .

Safari

59f084a5e77b7_ScreenShot2017-10-25at15_11_51.thumb.png.040e32c7f25e16da30845e64e26e11bb.png

 

Chrome

59f084c5366e8_ScreenShot2017-10-25at15_12_58.thumb.png.12d285c2982a3a4a3d9dcedd92b79311.png

Link to comment
Share on other sites
  • 4 weeks later...
bfarber Grand Master

bfarber

Posted
Posted
On 10/25/2017 at 6:29 AM, Marcher Technologies said:

https://www.w3.org/TR/referrer-policy/#referrer-policy-origin-when-cross-origin

This would appear to be a bug, please submit a ticket so it can be fixed in the relevant admincp template. All other browsers seem to be ignoring the typo present(origin-when-crossorigin is incorrect, it should be origin-when-cross-origin).

I've reviewed and pushed a patch to adjust this for development review

Link to comment
Share on other sites
  • 2 months later...

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...