• Resolved waltmagic

    (@waltmagic)


    I purchased your product a few days ago. It’s nice. It’s got a lot of advanced features other products don’t have. I am running into a problem when configuring my security headers. For some reason when I apply and save a Cross-Origin-Embedder-Policy all of my checkboxes no longer show a checkmark in them. It’s like the checkmark character isn’t loading. I have tested and I can change the values of the checkboxes so the checkboxes “work” but there is no checkmark to indicate the value of the variables. When I reset the headers and make sure the .htaccess file is clean, I re-enable the headers features one by one and have determined that once I enable the Cross-Origin-Embedder-Policy this checkbox/checkmark issue occurs. Here is what is inside the .htaccess file:

    <IfModule mod_headers.c>
    Header set Cross-Origin-Embedder-Policy “require-corp”
    Header set Cross-Origin-Opener-Policy “same-origin”
    Header set Cross-Origin-Resource-Policy “same-origin”
    Header set Content-Security-Policy “default-src ‘none’; connect-src ‘self’; img-src ‘self’; script-src ‘self’; style-src ‘self’; base-uri ‘self'”>
    Header set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
    Header set X-Content-Type-Options “nosniff”
    Header set X-Download-Options “noopen”
    Header set X-Frame-Options “SAMEORIGIN”
    Header set X-Permitted-Cross-Domain-Policies “none”
    </IfModule>

    I have no idea lol. I’ve never seen this happen before actually. I only have wordpress, elementor and wp-hide pro installed. I disabled my astra theme it still happens. However when I use the link to reset the header settings it works again. All the other security headers work fine, it’s just the Embedder policy. Your help is greatly appreciated ??

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter waltmagic

    (@waltmagic)

    UPDATE: OK it looks like this might be related to the content security policy. I was doing some more testing and found that I can recreate the issue using this policy. I am going to read some more documentation on CSP and wait to hear back from someone in here. If I figure this out I will report my findings here. Thanks

    Thread Starter waltmagic

    (@waltmagic)

    I need some documentation on how to use the wp hide content security policy. I gave up and had to manually create it in a terminal session. The plugin’s website has very little instruction on how to use security headers. Namely how in the heck do you use more than one host?? Obviously the host field is not a csv because the commas are automatically removed. https://url doesn’t work because it removes the // characters. If I just had some manual or documentation I could potentially love this plugin. I’m about to open this up in vscode and see what is going on. I kind of assume that plugins you pay for work and have documentation on how to use them…

    Plugin Contributor Maya

    (@tdgu)

    Hi,
    Because you are talking about the Pro version, which I cannot support here, please use your account/contact on the plugin website.

    Before anything else, keep in mind that the security response headers are a subset of HTTP headers, implemented by any browser ( so really not WP Hide property ). Our plugin just provides a visual interface to set and use the security headers. So we can’t provide better documentation than what the headers developers have. For example, a comprehensive description of the Content Security Policy can be found at https://www.w3.org/TR/CSP/. There are tons of other resources describing the headers.

    As mentioned at top of the message, we can still help.

    Thanks

    Thread Starter waltmagic

    (@waltmagic)

    It’s all good. Personally I just create the headers manually but since this is for a client I wanted to figure out how to use the plugin to do everything and send the documentation to the client. I will submit my future support requests on the plugin website. I pretty much have it all figured out but what I can’t understand is how to add multiple hosts in the CSP using the plugin. This plugin is very nice. Just needs more how-to tutorials and documentation. I am putting together how-to instructions for this client anyways, maybe I’ll send you a copy when I’m done so we can share it with the community. You can close this issue. Thanks ??

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Cross-Origin-Embedder-Policy Checkboxes Stop Working’ is closed to new replies.