FG777 app,MASWERTE Online.Recharge Every day and Get Bonus up-to 50%!

Resolved coderars
(@coderars)

4 years, 1 month ago

Hi!

Thank you for this great plugin! Looking at my response headers I’ve just noticed that both the deprecated “x-content-security-policy” and the new/standardized “content-security-policy” headers were sent. Is this intentional for any reason? Is the old format still necessary?

https://content-security-policy.com/

Note: It is known that having both Content-Security-Policy and X-Content-Security-Policy or X-Webkit-CSP causes unexpected behaviours on certain versions of browsers. Please avoid using deprecated X-* headers.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header. (Sometimes you may see mentions of the X-Content-Security-Policy header, but that’s an older version and you don’t need to specify it anymore.)

Thank You!

Viewing 13 replies - 1 through 13 (of 13 total)

Plugin Author Johan Jonk Stenstr?m
(@jonkastonka)

4 years, 1 month ago
Yes, the old format is needed since IE is still a thing unfortunately.
- This reply was modified 4 years, 1 month ago by Johan Jonk Stenstr?m.
Plugin Author Johan Jonk Stenstr?m
(@jonkastonka)

4 years, 1 month ago

I made a note of it, so maybe I’ll add a switch for it so that users that don’t want support for IE can turn off x-content-security-policy. Would that be a good solution for you?

Thread Starter coderars
(@coderars)

4 years, 1 month ago

Sure, however “IE 10-11 support sandbox only” and older versions knows nothing about CSP headers:

https://caniuse.com/contentsecuritypolicy
Known issues tab:

Partial support in Internet Explorer 10-11 refers to the browser only supporting the ‘sandbox’ directive by using the X-Content-Security-Policy header.

My local IE11 testing:
Currently there are some “Refused to load image” errors in console for my local dev site in Chrome (just for testing) but loading the same site in IE11 there’s no CSP error at all, so I assume the x-content-security-policy header is useless.

Plugin Author Johan Jonk Stenstr?m
(@jonkastonka)

4 years, 1 month ago

You can comment out these in inc/set-cacsp.php just to try it out:

echo '<meta http-equiv="X-Content-Security-Policy" content="' . $contentSecurityPolicy . '">' . "\n";

header( "X-Content-Security-Policy: " . $contentSecurityPolicy );

Thread Starter coderars
(@coderars)

4 years, 1 month ago

I think the switch in the plugin settings you mentioned is a safe idea until it’s not clearly investigated. However based on the links I sent I’m still unsure if the X header does anything at all in IE? (With the same value and without that sandbox flag) If not (my vote), then it could be safely removed (and without the need for that switch).

Here’s another one:
https://security.stackexchange.com/questions/191455/whats-the-alternative-of-content-security-policy-csp-header-in-internet-explo

Plugin Author Johan Jonk Stenstr?m
(@jonkastonka)

4 years, 1 month ago

I remember adding it, to support old IE. But I’ll give it another debug when adding the switch.

Plugin Author Johan Jonk Stenstr?m
(@jonkastonka)

4 years, 1 month ago

@coderars In the new version released today there is a new option for disabling X-Content-Security-Policy. Thanks for your input!

Thread Starter coderars
(@coderars)

4 years, 1 month ago

Superb! Thank you!

Plugin Author Johan Jonk Stenstr?m
(@jonkastonka)

4 years, 1 month ago

If it’s not too much, please consider leaving a review. ??

Thread Starter coderars
(@coderars)

4 years, 1 month ago

Currently, I’m quite busy on other parts of my site but as soon as I turn back to well configure/customize this plugin I’ll write a detailed review I promise! ??

Plugin Author Johan Jonk Stenstr?m
(@jonkastonka)

4 years, 1 month ago

Sweet! ??

Thread Starter coderars
(@coderars)

4 years ago

Promise accomplished ??

Plugin Author Johan Jonk Stenstr?m
(@jonkastonka)

4 years ago

@coderars Thank you! <3

Viewing 13 replies - 1 through 13 (of 13 total)

The topic ‘x-content-security-policy header’ is closed to new replies.