Jump to content

Recommended Posts

Posted

I'm trying to set CSP Header rules to secure my website. It appears iframe embed settings in "Advanced Configuration" interfere with the rules I add in my .htaccess file.

So I tried to select the second option: "Using a custom Content Security Policy (Advanced)". But I checked in core_sys_conf_settings and nor the clickjackprevention value, nor the csp_header are updated when I save my settings. So it seems to me database values are not read or written by this setting page or by the system.

Moreover, even if I modify the values directly in database they are ignored.

I tried the 3rd option: "Anywhere (Not Recommended)" and it doesn't work too. And the "Do not send header" for "Restrict Referrer Policy" is also ignored.

 

Posted

Looking at your community, I am seeing custom CSP rules. Not the ones setup in the ACP. You cannot run both 🙂 . You would need to choose to set it one or the other.

The referrer policy is indeed being set though.

Posted

This is what I see, right now (Safari 17.1) :

Could contain: Page, Text

And, of course, when I tried to set them in IC, I comment the lines in my .htaccess before.

The full rules I want to set are (using .htacces syntax):

Header set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy "frame-ancestors 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.stripe.com *.cloudflare.com; base-uri 'self';"

Posted

Try to change something, please, and tell me if it updates or not.

For example, try to save with "Anywhere (Not Recommended)" and "Do not send header", go to another page and come back.

Posted

You would need to check and ensure CRON is working as when saving I receive this:

In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777).

Thus, new changes won't be saving till that is addressed. Once I switch background tasks to run via Traffic, changes worked with issue

Posted (edited)
3 hours ago, Jim M said:

You would need to check and ensure CRON is working as when saving I receive this:

In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777).

I've seen this problem several times. Making that error message more visible would certainly help. 👀

Maybe a big red error message at the top of the form like other pages do.

Edited by teraßyte
Posted
13 hours ago, Jim M said:

In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777).

 

Yup, this was the problem. Thx. 👍🏼

Posted
On 1/20/2024 at 12:00 AM, teraßyte said:

I've seen this problem several times. Making that error message more visible would certainly help. 👀

Maybe a big red error message at the top of the form like other pages do.

Added this as a bug

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...