Content security policy configuration

Started by -Mirco-, April 19, 2017, 03:07:20 AM

Previous topic - Next topic

-Mirco-

Hello everybody  :D
I have a problem with mixed content not visible on https forum.

I tried to add this meta <meta http-equiv="Content-Security-Policy" Content-Security-Policy: child-src *.4wnetwork.com 4wmarketplace.com 4wnetwork.com; frame-src *.4wnetwork.com 4wmarketplace.com 4wnetwork.com;> without success.

Can anyone help me to solve it?

Thx in advance

Kindred

until 2.0.14 is released (which will be very soon now) there is no solution.  It's an issue with user avatars and images included in messages and signatures which are not specified as https....  Once 2.0.14 is released, those images will be proxied and the warning will be corrected.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

CSP doesn't affect HTTPS directly anyway, separate system for other purposes and it's hard to craft a CSP that worked for user content.

-Mirco-

Hello thx for reply.
In my case i'm talking about ads banners on SMF.

So there is no way to solve it?

Arantor

Are they images you are hosting yourself? Or are they blocks of JavaScript that put things on your site?

-Mirco-

The second, are js script code banner from another site,  that i put on my esite.

Arantor

Then there is something wrong with the JS that needs to be changed, and that CSP cannot fix.

-Mirco-

In real not, because on relative Site (that mount wordpress) is going well, the some code make banner visibile..

Arantor

If the code is putting the banner image in, the code needs to be changed to point to https rather than http - and nothing else is going to fix this.

-Mirco-

Problem is that just now point to https.

Arantor


-Mirco-

Problem is, as you can see in photo, banners are not visibile of default:



Arantor

You could post a link to your site so I could look at what you're doing as opposed to me trying to guess what needs changing.


Arantor

Well, a lot of the issues come from the ad network code you were given.

You've added:
document.write('<scr'+'ipt type="text/javascript" src="'+ ('https:' == document.location.protocol ? 'https://' : 'http://') + 'optimized-by.4wnetwork.com/simply_loader.js?cb='+ cb +'"></scr' + 'ipt>');


This should probably be:
document.write('<scr'+'ipt type="text/javascript" src="https://optimized-by.4wnetwork.com/simply_loader.js?cb='+ cb +'"></scr' + 'ipt>');


to keep it simple.

This code appears multiple times in the page, they should all be changed.

-Mirco-

Hello,
first code is right.
This just because function js document.location.protocol go in the right case (https) and not in the else (http).

Arantor

I would agree with you except for the small detail of the fact that it doesn't work which is why I suggested the rewrite to force it to HTTPS - which given that your forum is running HTTPS and therefore every request to it should be HTTPS but owing to the way you've handled redirects, it doesn't think that's correct.

Advertisement: