CSP content security policy

  • Resolved Vasco Daniel

    (@vascobaiao)


    1 year, 2 months ago

    Hi Alec!
    Thank you for providing this plugin.

    Recently I increased the security of my webiste by deploying a CSP. Later discovered that the videos with protected-video stop showing. The thumbnail appears but the connection gets freeze. Youtube link without the protected-video while pull the video properly.

    I would like to mantain protected-video and also CSP. Maybe this is out of your scope. But could you please see bellow and see what may be blocking Protected-video.

    My guess is that may be some value on one of these sections:
    # X Frame Options
    # Permissions Policy (rudimentary policies supported by chrome and FF)
    # Content Security Policy (CSP – quite lax WP 6.4 compatible policies)

    Thank you for any guidance you may provide.

    ### BEGIN WP 6.4 Security - LSE

## Automatic 301 redirect to https

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

## Additional security headers

<ifModule mod_headers.c>

# X Frame Options
Header always set X-Frame-Options "SAMEORIGIN"

# X XSS-Protection disabling (deprecated)
Header set X-XSS-Protection "0"

#  X Content-Type-Options
Header set X-Content-Type-Options "nosniff"

# X Permitted Cross Domain Policies
Header set X-Permitted-Cross-Domain-Policies "none"

# X-Powered-By and Server
Header unset X-Powered-By
Header unset Server

# Referrer Policy 
Header set Referrer-Policy "strict-origin-when-cross-origin"

## Advanced policies - basic implementation

# Permissions Policy (rudimentary policies supported by chrome and FF)
Header set Permissions-Policy "autoplay=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), midi=(self), payment=(self), microphone=(), camera=()"

# Content Security Policy (CSP - quite lax WP 6.4 compatible policies)
Header set Content-Security-Policy "default-src 'self'; object-src 'none'; script-src 'self' https: data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https:; style-src 'self' https: 'unsafe-inline'; font-src 'self' data: https:; img-src 'self' blob: data: https:; frame-src 'self' https: blob:; form-action 'self';"

</IfModule>

## ForceSecureCookie (LiteSpeed Set Cookie HTTPOnly Secure alternative)
<IfModule LiteSpeed>
	ForceSecureCookie same_site_strict
</IfModule>

### END Improved Site Security
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Alec Rust

    (@alecrust)

    Hi @vascobaiao,

    Maybe this is out of your scope

    That is correct, there’s nothing in this plugin preventing the videos from loading. It’s your Content Security Policy preventing videos loading.

    The Plyr player which Protected Video uses loads the standard YouTube player via its iframe embed method. To permit this content from a 3rd party to load on your page, you likely need to add a rule to your .htaccess file, something like this:

    Header set Content-Security-Policy "default-src 'self'; object-src 'none'; script-src 'self' https: data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https:; style-src 'self' https: 'unsafe-inline'; font-src 'self' data: https:; img-src 'self' blob: data: https:; frame-src 'self' https: blob: https://www.youtube.com; form-action 'self';"

    Using the “Network” tab in Dev Tools you can see the resources that are trying to load on your page.

    Thread Starter Vasco Daniel

    (@vascobaiao)

    Thank you for the recommendation.
    Will try to find a better definition to the CSP and if it works I will definetily share it here. ??

    Plugin Author Alec Rust

    (@alecrust)

    Closing as this support issue is resolved.

    Thread Starter Vasco Daniel

    (@vascobaiao)

    #Solution
    If you use Protected Video plugin in a Litespeed Server Web with Plesk this solution worked for me. It still needs some minor tweaks, but good to go.

    # Security Headers
<IfModule mod_headers.c>
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header set X-Xss-Protection "0"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=self"
Header unset X-Powered-By
Header always unset X-Powered-By
Header unset Server
</IfModule>
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘CSP content security policy’ is closed to new replies.