Plugin Author
Dylan
(@dyland)
The next version uses WordPress’ built in function to get the URL so this issue should go away. In the mean time you can set the correct URL Through the settings option page.
I tried accessing your site’s wp-json URL and it’s coming up 404 – do you have the REST API disabled somehow?
https://www.wtcmalmo.se/magasinet/wp-json
Thanks for quick reply.
Yes, I had the REST API turned off (I’m embarrassed). It’s now fixed, and following can be found in the HTML: <link rel='https://api.w.org/' href='https://…/magasinet/wp-json/' />.
The report URI in the header seems right (https://…/magasinet/wp-json/wpcsp/v1/route/LogPolicyViolation), but the Internal Test URL Checker still returns 404.
More important, I don’t see anything in the log. I guess I should got plenty of log entries while I tested out the policy now in effect. I have enabled logging of all violations.
Many thanks for your effort.
Plugin Author
Dylan
(@dyland)
I’m still seeing https://www.wtcmalmo.se/magasinet/wp-json with a 404 – this URL should show all the REST routes logged in your system and should look something like:
{“name”:”Site Name”,”description”:”Site Name – Locally World Famous”,”url”:”https:\/\/www.example.com”,”home”:”https:\/\/www.example.com”,”gmt_offset”:”0″,”timezone_string”:””,”namespaces”:[“oembed\/1.0″,”ppt\/v1″,”pptrestrict\/v1″,”akismet\/v1″,”contact-form-7\/v1″,”yoast\/v1″,”wpcsp\/v1″,”wp\/v2″],”authentication”:[],”routes”:{“\/”:{“namespace”:””,”methods”:[“GET”],”endpoints”:[{“methods”:[“GET”],”args”:{“context”:{“required”:false,”default”:”view”}}}],”_links”:{“self”:”https:\/\/www.example.com\/wp-json\/”}},”\/oembed\/1.0″:{“namespace”:”oembed\/1.0″,”methods”:[“GET”],”endpoints”:[{“methods”:[“GET”],”args”:{“namespace”:{“required”:false,”default”:”oembed\/1.0″},”context”:{”
When you get this returning, look for the route wpcsp and you should see an entry like:
\/wpcsp\/v1\/route\/LogPolicyViolation
This means the route (URL) is live and ready for traffic. Once this is shown your logging should work.
Plugin Author
Dylan
(@dyland)
I had another thought on this, if you’re seeing the wp-json output and I’m not is it a firewall issue?
Thanks for your kind help.
You should now get a proper response from https://…/magasinet/wp-json. It turned out that I had to visit the permalink settings page (so WordPress flushed its rewrite rules after I had enabled the REST API).
But the Internal Test URL Checker still returns 404, because it uses the wrong URL: https://…/wp-json/wpcsp/v1/route/RestAdmin instead of https://…/magasinet/wp-json/wpcsp/v1/route/RestAdmin. The same is true for the Clear Log File button.
Finally, I still don’t see anything in the log when I introduce a violation of the CSP, although report-uri in the CSP header looks right: https://…/magasinet/wp-json/wpcsp/v1/route/RestAdmin.
Plugin Author
Dylan
(@dyland)
The CSP header doesn’t have a nonce in it
report-uri https://www.wtcmalmo.se/magasinet/wp-json/wpcsp/v1/route/RestAdmin
it should be something like:
/wp-json/wpcsp/v1/route/LogPolicyViolation?_wpnonce=b724e201d2
Without the nonce the wordpress security is bouncing the logged violation calls with a 400 error.
Can you check your server log see if anything is being output by PHP – an error of some kind?
The nonce code was reworked and the new version may or may not have this issue.
Thanks for taking time with this issue.
The CSP header does have a wpnonce query string parameter. (I didn’t include it in my last comment.)
I don’t seen any errors in the error log.
But there are some warnings in the web browser console. One saying that child-src is deprecated. The other reads: loading pref showConsoleLogs before prefs were initialised, you will not get the correct result content-script.bundle.js:333:7
I did following simple test: Visit a page, copy the report-uri (including the nonce) and paste it the addressbar of the browser. I don’t know what response to expect, but this is what I got:
code "rest_no_route"
message "No route was found matching the URL and request method"
data
status 404
Sorry, visited https://…/magasinet/wp-json/ and noticed that I must use POST. I therefore did following test:
curl -v -d "key1=val1" https://www.wtcmalmo.se/magasinet/wp-json/wpcsp/v1/route/LogPolicyViolation?_wpnonce=fd15dc52d7
* Trying 139.162.161.177...
* Connected to www.wtcmalmo.se (139.162.161.177) port 443 (#0)
* found 149 certificates in /etc/ssl/certs/ca-certificates.crt
* found 604 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: www.wtcmalmo.se (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=www.wtcmalmo.se
* start date: Mon, 25 Dec 2017 15:27:14 GMT
* expire date: Sun, 25 Mar 2018 15:27:14 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
* ALPN, server accepted to use http/1.1
> POST /magasinet/wp-json/wpcsp/v1/route/LogPolicyViolation?_wpnonce=fd15dc52d7 HTTP/1.1
> Host: www.wtcmalmo.se
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 9
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 9 out of 9 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Mon, 08 Jan 2018 20:41:24 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 4
< Connection: keep-alive
< X-Robots-Tag: noindex
< Link: <https://www.wtcmalmo.se/magasinet/wp-json/>; rel="https://api.w.org/"
< X-Content-Type-Options: nosniff
< Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
< Access-Control-Allow-Headers: Authorization, Content-Type
< X-WP-Nonce: fd15dc52d7
< Allow: POST
< Cache-Control: max-age=0
< Expires: Mon, 08 Jan 2018 20:41:24 GMT
< Vary: Accept-Encoding
<
* Connection #0 to host www.wtcmalmo.se left intact
Nothing shows up in the log.
Plugin Author
Dylan
(@dyland)
Version 2.1 is out with updated subdirectory and nonce handling – give it a whirl.
Have now tested the new version.
1) Logging is now working. I see messages in the log file.
2) But the Internal Test URL Checker now returns “500 Internal Server Error” instead of “404 Not Found”
PHP issues two warnings and one error message:
PHP Notice: Undefined index: base-uri in /…/magasinet/wp-content/plugins/wp-content-security-policy/includes/WP_CSP.php on line 254
PHP Notice: Undefined index: host in /…/magasinet/wp-content/plugins/wp-content-security-policy/includes/WP_CSP.php on line 720
PHP Fatal error: Uncaught Error: Call to private method WP_CSP::ProcessPolicyViolation() from context 'WP_CSP_Admin' in /…/magasinet/wp-content/plugins/wp-content-security-policy/admin/WP_CSP_Admin.php:877
Stack trace:
#0 /…/magasinet/wp-content/plugins/wp-content-security-policy/admin/WP_CSP_Admin.php(627): WP_CSP_Admin::TestURLChecker()
#1 /…/magasinet/wp-includes/rest-api/class-wp-rest-server.php(936): WP_CSP_Admin::RestAdmin(Object(WP_REST_Request))
#2 /…/magasinet/wp-includes/rest-api/class-wp-rest-server.php(321): WP_REST_Server->dispatch(Object(WP_REST_Request))
#3 /…/magasinet/wp-includes/rest-api.php(266): WP_REST_Server->serve_request('/wpcsp/v1/route...')
#4 /…/magasinet/wp-includes/class-wp-hook.php(286): rest_api_loaded(Object(WP))
#5 /…/magasinet/wp-includes in /…/magasinet/wp-content/plugins/wp-content-security-policy/admin/WP_CSP_Admin.php on line 877
