known issue Clickjacking settings doesn't work

[Webmaster Scr]

I'm trying to set CSP Header rules to secure my website. It appears iframe embed settings in "Advanced Configuration" interfere with the rules I add in my .htaccess file.

So I tried to select the second option: "Using a custom Content Security Policy (Advanced)". But I checked in core_sys_conf_settings and nor the clickjackprevention value, nor the csp_header are updated when I save my settings. So it seems to me database values are not read or written by this setting page or by the system.

Moreover, even if I modify the values directly in database they are ignored.

I tried the 3rd option: "Anywhere (Not Recommended)" and it doesn't work too. And the "Do not send header" for "Restrict Referrer Policy" is also ignored.

 

[Jim M]

Looking at your community, I am seeing custom CSP rules. Not the ones setup in the ACP. You cannot run both 🙂 . You would need to choose to set it one or the other.

The referrer policy is indeed being set though.

[Webmaster Scr]

This is what I see, right now (Safari 17.1) :

And, of course, when I tried to set them in IC, I comment the lines in my .htaccess before.

The full rules I want to set are (using .htacces syntax):

Header set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy "frame-ancestors 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.stripe.com *.cloudflare.com; base-uri 'self';"

[Jim M]

If your .htaccess rules are working, why are you setting this as well in the ACP?

[Webmaster Scr]

Because according Google insight and https://observatory.mozilla.org/analyze/ I have syntax error in my rules when both are activated. And I can't deactivate IC rules.

Does I t work for you? I mean, if you change something, save, go to another page and went back, do you see the new settings or always the ones I paste above?

[Jim M]

I only see your custom settings. I do not see our settings.

[Webmaster Scr]

Try to change something, please, and tell me if it updates or not.

For example, try to save with "Anywhere (Not Recommended)" and "Do not send header", go to another page and come back.

[Jim M]

You would need to check and ensure CRON is working as when saving I receive this:

In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777).

Thus, new changes won't be saving till that is addressed. Once I switch background tasks to run via Traffic, changes worked with issue

[teraßyte]

3 hours ago, Jim M said:

You would need to check and ensure CRON is working as when saving I receive this:

In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777).

I've seen this problem several times. Making that error message more visible would certainly help. 👀

Maybe a big red error message at the top of the form like other pages do.

Edited January 20 by teraßyte

[Webmaster Scr]

13 hours ago, Jim M said:

In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777).

 

Yup, this was the problem. Thx. 👍🏼

[Marc Stridgen]

On 1/20/2024 at 12:00 AM, teraßyte said:

I've seen this problem several times. Making that error message more visible would certainly help. 👀

Maybe a big red error message at the top of the form like other pages do.

Added this as a bug