Hi @c0der, thanks for downloading the Headers Security Advanced & HSTS WP plugin.
I am here to help you with the issue you are experiencing with the third party service “Adsense by google” and the “Referrer-Policy” headers policy.
no-referrer-when-downgrade was a default policy among browsers (Chrome, Firefox, Edge, Safari). Now we at Headers Security Advanced & HSTS WP also use a policy that is secure, privacy-enhancing, and useful
so we have updated the Referrer-Policy header to strict-origin-when-cross-origin. With this policy, only the origin is sent in the Referer header of multi-origin requests.
This prevents the leakage of private data that might be accessible from other parts of the full URL such as the path and query string.
Update the plugin to version 4.8.98 and I am sure you will no longer experience the issue.
For further assistance or questions please do not hesitate to contact us.`
-
This reply was modified 1 year, 8 months ago by Andrea Ferro.
the last version is 4.8.96 no update yet
Hi @c0der, you should see the plugin update to version 4.8.98 released 30 minutes ago.
We are not experiencing any version anomalies on WordPress the version that is now available is 4.8.98
Hi @c0der, I have checked however you are not using version 4.8.98, I would ask you to do that to resolve the issue that may occur with the cache.
Go to section > plugins > uninstall the plugin and then delete the plugin > at this point reinstall the plugin and you should have resolved the caching/hosting side issue.
From an internal check you are still using (referrer-policy no-referrer-when-downgrade) which instead the latest version no longer uses that directive.
Best regards
hello
thank you for support
i have delete cache from wp rocket and cloudflare and same notice still in site
can you check please
Hi @c0der, please go ahead I am just here to help you and provide support and the information you need.
I have done some checking to see what headers are being loaded from your domain. The domain is not using our Headers Security Advanced & HSTS WP plugin guidelines.
The headers currently visible are being forced by the external Cloudflare service and this is implementing outdated and incorrect directives.
To resolve this issue, I ask you to take some actions that might explain your issue:
– a common issue is the WP Rocket plugin that when used with other services such as Cloudflare can cause anomalies with the headers and directives set.
–try disabling WP rocket, clearing the search engine cache and restart cloudflare.
– once this is done try checking directly with the link above if you see the Referrer policy directive with the following value to strict-origin-when-cross-origin`
As a last thing you could disable cloudflare headers but remember only the headers
Vedi report security headers
hello
thank you
i disable wp rocket and other plugin “Asset CleanUp Pro: Page Speed Booster”
clear firefox cache
and i delete cloudflare cache
nothing change in firefox
View post on imgur.com
about cloudflare headers can you show where this setting or name
im use cloudflare free plan
i forget im using plugin “iThemes Security Pro”
but nothing in settings for header
Hi @c0der, I verified your site with the same link provided in the previous message.
I now see in grade A+ and see that you are using the correct headers.
The referrer-policy value has become strict-origin-when-cross-origin.
I also checked your website and verified a few things and you see that in the DOM console the error is no longer presented Referrer-policy
thank you for help
now i only see
“`Content Security Policy: Ignoring “’unsafe-inline’” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “’unsafe-inline’” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “’unsafe-inline’” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified`”
is that normal?