Advertisement:

Author Topic: Content security policy configuration  (Read 2145 times)

Offline -Mirco-

  • Semi-Newbie
  • *
  • Posts: 22
Content security policy configuration
« on: April 19, 2017, 03:07:20 AM »
Hello everybody  :D
I have a problem with mixed content not visible on https forum.

I tried to add this meta <meta http-equiv="Content-Security-Policy" Content-Security-Policy: child-src *.4wnetwork.com 4wmarketplace.com 4wnetwork.com; frame-src *.4wnetwork.com 4wmarketplace.com 4wnetwork.com;> without success.

Can anyone help me to solve it?

Thx in advance

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 54,323
  • Gender: Male
    • Kindred-999 on GitHub
Re: Content security policy configuration
« Reply #1 on: April 19, 2017, 07:34:21 AM »
until 2.0.14 is released (which will be very soon now) there is no solution.  It's an issue with user avatars and images included in messages and signatures which are not specified as https....  Once 2.0.14 is released, those images will be proxied and the warning will be corrected.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 66,995
    • Arantor on GitHub
Re: Content security policy configuration
« Reply #2 on: April 19, 2017, 07:38:22 AM »
CSP doesn't affect HTTPS directly anyway, separate system for other purposes and it's hard to craft a CSP that worked for user content.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

Offline -Mirco-

  • Semi-Newbie
  • *
  • Posts: 22
Re: Content security policy configuration
« Reply #3 on: April 19, 2017, 02:20:55 PM »
Hello thx for reply.
In my case i'm talking about ads banners on SMF.

So there is no way to solve it?

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 66,995
    • Arantor on GitHub
Re: Content security policy configuration
« Reply #4 on: April 19, 2017, 03:39:51 PM »
Are they images you are hosting yourself? Or are they blocks of JavaScript that put things on your site?
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

Offline -Mirco-

  • Semi-Newbie
  • *
  • Posts: 22
Re: Content security policy configuration
« Reply #5 on: April 19, 2017, 03:45:52 PM »
The second, are js script code banner from another site,  that i put on my esite.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 66,995
    • Arantor on GitHub
Re: Content security policy configuration
« Reply #6 on: April 19, 2017, 05:56:46 PM »
Then there is something wrong with the JS that needs to be changed, and that CSP cannot fix.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

Offline -Mirco-

  • Semi-Newbie
  • *
  • Posts: 22
Re: Content security policy configuration
« Reply #7 on: April 20, 2017, 02:33:02 AM »
In real not, because on relative Site (that mount wordpress) is going well, the some code make banner visibile..

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 66,995
    • Arantor on GitHub
Re: Content security policy configuration
« Reply #8 on: April 20, 2017, 02:39:19 AM »
If the code is putting the banner image in, the code needs to be changed to point to https rather than http - and nothing else is going to fix this.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

Offline -Mirco-

  • Semi-Newbie
  • *
  • Posts: 22
Re: Content security policy configuration
« Reply #9 on: April 20, 2017, 05:43:56 AM »
Problem is that just now point to https.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 66,995
    • Arantor on GitHub
Re: Content security policy configuration
« Reply #10 on: April 20, 2017, 09:03:44 AM »
How is that a problem?
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

Offline -Mirco-

  • Semi-Newbie
  • *
  • Posts: 22
Re: Content security policy configuration
« Reply #11 on: April 21, 2017, 04:52:19 AM »
Problem is, as you can see in photo, banners are not visibile of default:



Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 66,995
    • Arantor on GitHub
Re: Content security policy configuration
« Reply #12 on: April 21, 2017, 01:20:05 PM »
You could post a link to your site so I could look at what you're doing as opposed to me trying to guess what needs changing.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

Offline -Mirco-

  • Semi-Newbie
  • *
  • Posts: 22
Re: Content security policy configuration
« Reply #13 on: April 21, 2017, 03:40:13 PM »

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 66,995
    • Arantor on GitHub
Re: Content security policy configuration
« Reply #14 on: April 21, 2017, 03:54:45 PM »
Well, a lot of the issues come from the ad network code you were given.

You've added:
Code: [Select]
document.write('<scr'+'ipt type="text/javascript" src="'+ ('https:' == document.location.protocol ? 'https://' : 'http://') + 'optimized-by.4wnetwork.com/simply_loader.js?cb='+ cb +'"></scr' + 'ipt>');

This should probably be:
Code: [Select]
document.write('<scr'+'ipt type="text/javascript" src="https://optimized-by.4wnetwork.com/simply_loader.js?cb='+ cb +'"></scr' + 'ipt>');

to keep it simple.

This code appears multiple times in the page, they should all be changed.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

Offline -Mirco-

  • Semi-Newbie
  • *
  • Posts: 22
Re: Content security policy configuration
« Reply #15 on: April 22, 2017, 08:54:49 AM »
Hello,
first code is right.
This just because function js document.location.protocol go in the right case (https) and not in the else (http).

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 66,995
    • Arantor on GitHub
Re: Content security policy configuration
« Reply #16 on: April 22, 2017, 10:12:44 AM »
I would agree with you except for the small detail of the fact that it doesn't work which is why I suggested the rewrite to force it to HTTPS - which given that your forum is running HTTPS and therefore every request to it should be HTTPS but owing to the way you've handled redirects, it doesn't think that's correct.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.