loading external content in write tab

colak · 2016-09-11 17:31:43

Here is another minor problem I found.

In many articles I include vimeo videos. Up to now they were not visible in the ‘preview’ tab in the ‘write’ pane. Now any html we have will actually render in the back end. I am worried regarding the safety of this. What if someone loads an swf application from a non-trusted third party for example, or even an image, svg, whatever.

I might just be paranoid about this but hopefully a plugin will be developed to change this functionality.

gaekwad · 2016-09-12 10:29:16

Look into content security policy:

content-security-policy.com
developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy

There’s already something in the issue queue, too: github.com/textpattern/textpattern/issues/408

colak · 2016-09-12 12:03:07

Hi Pete

the issue in github is from 2014. I was trying to implement an htaccess rule to block media from external sources but I then thought that the language files are also downloaded from outside the domain.

The links you posted are indeed interesting but what I was thinking was not myself but the average user who would not even try to understand all these.

etc · 2016-09-12 12:18:40

The default .htaccess in textpattern directory prevents your site from being embedded as a frame of other sites. Replace it with

<IfModule mod_headers.c>
    Header set Content-Security-Policy "frame-ancestors 'self'; child-src 'self'"
</IfModule>

to also block the frames from other sites in your site. But if we do it, average users might cry “where is my youtube video”.

gaekwad · 2016-09-12 12:19:40

etc wrote #301363:

But if we do it, average users might cry “where is my youtube video”.

This.

colak · 2016-09-12 12:39:37

or they might cry “where is my site!”

colak · 2016-09-12 13:02:19

Hi Oleg and Pete, thanks so much for this.

Unfortunately the htaccess script does not work. vimeo iframes are still loading. :(

etc · 2016-09-12 13:35:54

colak wrote #301369:

Unfortunately the htaccess script does not work. vimeo iframes are still loading. :(

That’s another problem, CSP level 2 is not yet supported by IE, Edge and Safari 9.1. Working in Firefox for me.

colak · 2016-09-12 15:41:31

I’m also working on ff v48.0.1 mac

etc · 2016-09-12 17:34:47

colak wrote #301378:

I’m also working on ff v48.0.1 mac

Ah..? Well, I’m just a poor boy, nobody buys me a mac :-) Will test when I can.

gaekwad · 2016-09-12 18:57:24

etc wrote #301383:

Well, I’m just a poor boy, nobody buys me a mac :-)

www.ebay.fr/itm/APPLE-Imac-G3-/222241755188 (currently 1EUR plus shipping)

etc · 2016-09-12 19:19:32

gaekwad wrote #301387:

www.ebay.fr/itm/APPLE-Imac-G3-/222241755188 (currently 1EUR plus shipping)

Oh man, il le vaut bien !

Textpattern CMS

Textpattern CMS support forum

#1 2016-09-11 17:31:43