Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted January 19, 20241 yr I'm trying to set CSP Header rules to secure my website. It appears iframe embed settings in "Advanced Configuration" interfere with the rules I add in my .htaccess file. So I tried to select the second option: "Using a custom Content Security Policy (Advanced)". But I checked in core_sys_conf_settings and nor the clickjackprevention value, nor the csp_header are updated when I save my settings. So it seems to me database values are not read or written by this setting page or by the system. Moreover, even if I modify the values directly in database they are ignored. I tried the 3rd option: "Anywhere (Not Recommended)" and it doesn't work too. And the "Do not send header" for "Restrict Referrer Policy" is also ignored.
January 19, 20241 yr Community Expert Looking at your community, I am seeing custom CSP rules. Not the ones setup in the ACP. You cannot run both 🙂 . You would need to choose to set it one or the other. The referrer policy is indeed being set though.
January 19, 20241 yr Author This is what I see, right now (Safari 17.1) : And, of course, when I tried to set them in IC, I comment the lines in my .htaccess before. The full rules I want to set are (using .htacces syntax): Header set X-Frame-Options "SAMEORIGIN" Header set Content-Security-Policy "frame-ancestors 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.stripe.com *.cloudflare.com; base-uri 'self';"
January 19, 20241 yr Community Expert If your .htaccess rules are working, why are you setting this as well in the ACP?
January 19, 20241 yr Author Because according Google insight and https://observatory.mozilla.org/analyze/ I have syntax error in my rules when both are activated. And I can't deactivate IC rules. Does I t work for you? I mean, if you change something, save, go to another page and went back, do you see the new settings or always the ones I paste above?
January 19, 20241 yr Author Try to change something, please, and tell me if it updates or not. For example, try to save with "Anywhere (Not Recommended)" and "Do not send header", go to another page and come back.
January 19, 20241 yr Community Expert You would need to check and ensure CRON is working as when saving I receive this: In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777). Thus, new changes won't be saving till that is addressed. Once I switch background tasks to run via Traffic, changes worked with issue
January 20, 20241 yr Community Expert 3 hours ago, Jim M said: You would need to check and ensure CRON is working as when saving I receive this: In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777). I've seen this problem several times. Making that error message more visible would certainly help. 👀 Maybe a big red error message at the top of the form like other pages do. Edited January 20, 20241 yr by teraßyte
January 20, 20241 yr Author 13 hours ago, Jim M said: In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777). Yup, this was the problem. Thx. 👍🏼
January 22, 20241 yr Community Expert On 1/20/2024 at 12:00 AM, teraßyte said: I've seen this problem several times. Making that error message more visible would certainly help. 👀 Maybe a big red error message at the top of the form like other pages do. Added this as a bug
