Dylan
Forum Replies Created
-
Forum: Plugins
In reply to: [WP Content Security Plugin] no logThe table should create on activation…perhaps I need more error checking around the insert to handle the possibility the table doesn’t exist.
I haven’t converted a site to SSL yet, I have one converting tomorrow and will look at why it might be not logging on SSL (if its not related to the create table issue).
Forum: Plugins
In reply to: [Modernizr for WordPress] Error in latest build (3.3.1)It looks related to https://github.com/Modernizr/Modernizr/issues/1538 – maybe the JS in the latest plugin version has this bug?
Forum: Plugins
In reply to: [WP Content Security Plugin] frame-srcWe’re using both so we can support older browsers. As these tend to be the most vulnerable browsers I will keep supporting them for some time.
Forum: Plugins
In reply to: [WP Content Security Plugin] no logHave a look at your browser’s developer console, see what errors are displayed there. The browser should say whether it is in report-only mode. You can also check network traffic (again through the developer console) as there should be one call per rejected item.
Forum: Plugins
In reply to: [WP Content Security Plugin] frame-ancestors mislabeledI will fix in the next release.
Forum: Plugins
In reply to: [WP Content Security Plugin] blobThere’s a space in the URL “blob: xxxx.com” (after the ‘:’) which should be removed. Spaces in URLs are always tricky, spaces are meant to be URL encoded but in this instance the space is unwanted. The system currently sees a space as the start of a new entry, I will stop it doing that in the next release.
Forum: Plugins
In reply to: [WP Content Security Plugin] Set Up QuestionTurn it into block mode (not report only mode) as it’s easier to work out if something is being caught.
Try embedding a YouTube video to your page and see if the video runs in your browser (under the YouTube video, the ‘share’ option, then ’embed’, the code should be an iframe). If the video plays OK then your site is allowing third party access, if it doesn’t it is being blocked.
If it is blocked then check the CSP log for a youtube entry – no entry could mean the browser is not able to report the violation. You will need to look at the network traffic using your browser’s developer tools, see if the call is being blocked. Sometimes the call is blocked by another plugin such as Wordfence.
If YouTube is not blocked then either the header is not being sent or you have allowed access to third parties (using a ‘*’ for example). Use your browser’s developer tools and look for a response header of “Content-Security-Policy:” – if that exists the plugin is setting the header, if it isn’t then the plugin might be disabled or something else is happening.
Forum: Plugins
In reply to: [WP Content Security Plugin] Were is the CSP stored?The complete policy is not stored anywhere in WP, it is generated on the fly. The entered settings can be found in the options table under wp_wpcsp_all_options.
If you want to see the whole policy then use the ‘developer tools’ in your browser and look at the response header – it will look something like:
Content-Security-Policy:default-src 'self' ; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.googleapis.com cdn.api.twitter.com connect.facebook.net data: platform.twitter.com shareaholic.com www.google-analytics.com http://*.ccc2ed9c.id.opendns.com http://*.ccc2eda1.id.opendns.com http://*.ccc2eda6.id.opendns.com http://*.d0452497.id.opendns.com http://*.d045249c.id.opendns.com https://*.web-stat.com http://api.pinterest.com https://apis.google.com http://assets.pinterest.com https://assets.pinterest.com https://bpb.opendns.com http://clickcdn.shareaholic.com http://code.jquery.com https://com.lge.browser http://dsms0mj1bbhn4.cloudfront.net http://graph.facebook.com https://log.pinterest.com http://maps.google.com https://maps.google.com http://maps.gstatic.com https://maps.gstatic.com https://partner.shareaholic.com http://server2.web-stat.com http://sitetray.com https://ssl.google-analytics.com https://widgets.pinterest.com http://www.googleadservices.com https://www.googleadservices.com http://www.linkedin.com https://www.linkedin.com; style-src 'self' 'unsafe-inline' *.googleapis.com ajax.googleapis.com data: ; img-src 'self' *.googleapis.com data: http://*.amazon.com http://*.ccc2ed97.id.opendns.com http://*.ccc2ed9c.id.opendns.com http://*.ccc2eda1.id.opendns.com http://*.ccc2eda6.id.opendns.com http://*.d0452497.id.opendns.com http://*.d045249c.id.opendns.com http://*.gravatar.com https://*.gstatic.com http://*.susd.org http://1.gravatar.com http://7f696149076fc29081be229b86468c8b5b42.ccc2eda6.id.opendns.com http://ads.yahoo.com http://alert.webprotection.sprint.com http://alert.websecurity.att.com http://analytics.shareaholic.com https://apis.google.com http://assets.pinterest.com https://assets.pinterest.com https://bpb.opendns.com http://cm.g.doubleclick.net http://csi.gstatic.com https://csi.gstatic.com http://dsms0mj1bbhn4.cloudfront.net http://googleads.g.doubleclick.net http://load.s3.amazonaws.com https://log.pinterest.com http://maps.gstatic.com https://partner.shareaholic.com https://s-passets.pinimg.com http://server2.web-stat.com https://server2.web-stat.com http://ssl.gstatic.com https://ssl.gstatic.com https://stats.g.doubleclick.net https://syndication.twitter.com http://www.facebook.com https://www.facebook.com http://www.google-analytics.com https://www.google-analytics.com http://www.google.com ; font-src 'self' data: http://dsms0mj1bbhn4.cloudfront.net http://fonts.gstatic.com https://fonts.gstatic.com http://maps.gstatic.com https://sites.google.com https://syndication.twitter.com ; frame-src 'self' googleads.g.doubleclick.net platform.twitter.com tel www.facebook.com www.google.com www.youtube.com https://accounts.google.com https://apis.google.com https://assets.pinterest.com https://block.opendns.com https://i.ytimg.com https://ipv4.google.com http://maps.gstatic.com https://s-static.ak.facebook.com https://s.youtube.com https://s.ytimg.com http://static.ak.facebook.com https://www.google.ae http://www.google.ca https://www.google.ca https://www.google.co.in http://www.google.co.uk https://www.google.co.uk http://www.google.com.au https://www.google.nl http://www.youtube-nocookie.com https://www.youtube-nocookie.com ; child-src 'self' googleads.g.doubleclick.net platform.twitter.com tel www.facebook.com www.google.com www.youtube.com https://accounts.google.com https://apis.google.com https://assets.pinterest.com https://block.opendns.com https://i.ytimg.com https://ipv4.google.com http://maps.gstatic.com https://s-static.ak.facebook.com https://s.youtube.com https://s.ytimg.com http://static.ak.facebook.com https://www.google.ae http://www.google.ca https://www.google.ca https://www.google.co.in http://www.google.co.uk https://www.google.co.uk http://www.google.com.au https://www.google.nl http://www.youtube-nocookie.com https://www.youtube-nocookie.com ; object-src 'self' www.youtube.com ; connect-src 'self' https://*.googlevideo.com http://s3.amazonaws.com https://shareaholic.com http://www.google-analytics.com https://www.youtube.com ; media-src 'self' ;Forum: Plugins
In reply to: [WP Content Security Plugin] Working only in report modeIf you turn off report mode (which you should do once you have your initial settings correct) the header will still be output. What caching plugin are you using – I have tested used Hyper Cache and W3 Total Cache.
Forum: Plugins
In reply to: [W3 Total Cache] CloudFlare API errorI had this issue, fixed it by updating the account email address and Cloudflare API Key field.