custom header (CSP Report Only) not possible? | WordPress.org

Resolved Anonymous User 17880307
(@anonymized-17880307)

1 year, 8 months ago

Hi,

users are trying to add Content-Security-Policy-Report-Only: default-src 'none'; report-uri /csp-log.php but according to their tests after the submission the ‘ (single quote) is always escaped and the header not applied.

How can they add this header?

Viewing 1 replies (of 1 total)

Plugin Author nintechnet
(@nintechnet)

1 year, 8 months ago
I forgot to add a call to the stripslashes function. WordPress always escapes quotes.
The issue is line 1369: https://plugins.trac.wordpress.org/browser/ninjafirewall/trunk/lib/firewall_policies.php#L1369
```
$headers = explode( "\r\n", $_POST['nfw_options']['custom_headers'] );
```
It should be replaced with:
```
$headers = explode( "\r\n", stripslashes( $_POST['nfw_options']['custom_headers'] ) );
```
I’ll add the patch to the next release, thanks for reporting it.

Viewing 1 replies (of 1 total)

The topic ‘custom header (CSP Report Only) not possible?’ is closed to new replies.

In: Plugins
1 reply
2 participants
Last reply from: nintechnet
Last activity: 1 year, 8 months ago
Status: resolved