Jump to content

Clickjacking settings doesn't work


Recommended Posts

I'm trying to set CSP Header rules to secure my website. It appears iframe embed settings in "Advanced Configuration" interfere with the rules I add in my .htaccess file.

So I tried to select the second option: "Using a custom Content Security Policy (Advanced)". But I checked in core_sys_conf_settings and nor the clickjackprevention value, nor the csp_header are updated when I save my settings. So it seems to me database values are not read or written by this setting page or by the system.

Moreover, even if I modify the values directly in database they are ignored.

I tried the 3rd option: "Anywhere (Not Recommended)" and it doesn't work too. And the "Do not send header" for "Restrict Referrer Policy" is also ignored.

 

Link to comment
Share on other sites

Looking at your community, I am seeing custom CSP rules. Not the ones setup in the ACP. You cannot run both 🙂 . You would need to choose to set it one or the other.

The referrer policy is indeed being set though.

Link to comment
Share on other sites

This is what I see, right now (Safari 17.1) :

Could contain: Page, Text

And, of course, when I tried to set them in IC, I comment the lines in my .htaccess before.

The full rules I want to set are (using .htacces syntax):

Header set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy "frame-ancestors 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.stripe.com *.cloudflare.com; base-uri 'self';"

Link to comment
Share on other sites

You would need to check and ensure CRON is working as when saving I receive this:

In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777).

Thus, new changes won't be saving till that is addressed. Once I switch background tasks to run via Traffic, changes worked with issue

Link to comment
Share on other sites

3 hours ago, Jim M said:

You would need to check and ensure CRON is working as when saving I receive this:

In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777).

I've seen this problem several times. Making that error message more visible would certainly help. 👀

Maybe a big red error message at the top of the form like other pages do.

Edited by teraßyte
Link to comment
Share on other sites

On 1/20/2024 at 12:00 AM, teraßyte said:

I've seen this problem several times. Making that error message more visible would certainly help. 👀

Maybe a big red error message at the top of the form like other pages do.

Added this as a bug

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...