Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#61 2021-04-15 13:40:11

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,305
Website GitHub

Re: Fook Google and its fookin' sheet

gaekwad wrote #329840:

I’d be inclined to do a good article on .com, outlining the relevant how-to’s for each platform, and outlining our policy very clearly, rather than a blanket (or even commented) thing with headers in web server config files as part of our release bundles.

Fine by me! It’s all good content.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#62 2021-04-15 19:37:03

gaekwad
Multi-hyphenate
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,532
GitHub

Re: Fook Google and its fookin' sheet

Effective from 2000UTC today (about 25 minutes from the time of this post), all self-hosted Textpattern network sites will have interest-cohort() headers set across all pages.

Any user agent that respects this will know we’re excluded. User agents that don’t respect it…well, nothing we can do about that. Pick your browser wisely, I guess.

We can be opinionated about what we do with our own network sites, what everyone else does is up to them. I’m not saying “put down your pitchforks”, I come in peace with some good (!?) news.

Offline

#63 2021-04-15 22:51:12

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,360
Website

Re: Fook Google and its fookin' sheet

gaekwad wrote #329858:

Any user agent that respects this will know we’re excluded. User agents that don’t respect it…well, nothing we can do about that. Pick your browser wisely, I guess.

Browsers that don’t support that header don’t support the whole Floc tracking and profiling either, so users of those browsers are safe anyway.


Where is that emoji for a solar powered submarine when you need it ?

Offline

#64 2021-04-15 23:59:08

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,360
Website

Re: Fook Google and its fookin' sheet

gaekwad wrote #329858:

Effective from 2000UTC today (about 25 minutes from the time of this post), all self-hosted Textpattern network sites will have interest-cohort() headers set across all pages.

Interesting:

When I view the textpattern.com headers on the network pane in the Firefox developer tools or the Sources pane with Safari’s tools, I see the following for permissions-policy:

permissions-policy: accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),fullscreen=(self),geolocation=(),gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),screen-wake-lock=(),sync-xhr=(self),usb=(),xr-spatial-tracking=()

dito for the forum.

Both served by Cloudflare, fwiw.


Where is that emoji for a solar powered submarine when you need it ?

Offline

#65 2021-04-16 07:31:59

gaekwad
Multi-hyphenate
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,532
GitHub

Re: Fook Google and its fookin' sheet

phiw13 wrote #329860:

Browsers that don’t support that header don’t support the whole Floc tracking and profiling either, so users of those browsers are safe anyway.

Yes. My comment was more along the lines of any user agent can be compiled to ignore any arbitrary headers, so it shouldn’t be considered a catch-all method from our end.

As to why you’re not seeing headers appearing…caching? They are committed and uploaded, Nginx restarted, so they are sorted from our end.

I ran a check on forum.textpattern.com last night shortly after I’d implemented the header, and it shows up: securityheaders.com/?q=https%3A%2F%2Fforum.textpattern.com&hide=on&followRedirects=on

Last edited by gaekwad (2021-04-16 07:33:56)

Offline

#66 2021-04-16 08:06:21

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,360
Website

Re: Fook Google and its fookin' sheet

gaekwad wrote #329864:

Yes. My comment was more along the lines of any user agent can be compiled to ignore any arbitrary headers, so it shouldn’t be considered a catch-all method from our end.

absolutely. That is what I have argued above the whole time. that header solution is good for now. Maybe ever-loving big brother will change (to something less good ?) when noticing that many sites actually block that tracking.

As to why you’re not seeing headers appearing…caching?

Oh, but I do see it, did you see my follow-up ? I was only mildly surprised at the scope of the permissions-policy.


Where is that emoji for a solar powered submarine when you need it ?

Offline

#67 2021-04-16 09:13:31

gaekwad
Multi-hyphenate
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,532
GitHub

Re: Fook Google and its fookin' sheet

phiw13 wrote #329866:

Oh, but I do see it, did you see my follow-up ? I was only mildly surprised at the scope of the permissions-policy.

That’ll teach me to read things too quickly before breakfast. My apologies. I was fighting some weird caching issues last night that meant the new stuff wasn’t proliferating.

What’s your concern with the Permissions Policy, out of interest?

Offline

#68 2021-04-16 09:41:47

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,360
Website

Re: Fook Google and its fookin' sheet

gaekwad wrote #329868:

What’s your concern with the Permissions Policy, out of interest?

None, really. It was more a surprise to see you had gone such an extensive list – basically everything and the kitchen sink… Ok, maybe not that last one. Better leave that alone!

I may even steal borrow it for my own playground(s), if you don’t mind.


Where is that emoji for a solar powered submarine when you need it ?

Offline

#69 2021-04-16 09:49:40

gaekwad
Multi-hyphenate
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,532
GitHub

Re: Fook Google and its fookin' sheet

phiw13 wrote #329871:

I may even steal borrow it for my own playground(s), if you don’t mind.

Please do! github.com/textpattern/server-config is where we store stuff. I’ve just noticed that repo is not licensed, I’ll sort that now.

All due respect to Phil, he keeps me on my toes with a lot of this stuff, between us we actually do pretty well at web servers!

Offline

#70 2021-04-16 09:56:16

gaekwad
Multi-hyphenate
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,532
GitHub

Re: Fook Google and its fookin' sheet

gaekwad wrote #329872:

I’ve just noticed that repo is not licensed, I’ll sort that now.

Done – it’s a bunch of configs, so have at ‘em.

See also: #38 & 37 for background.

Offline

#71 2021-04-16 10:03:55

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,305
Website GitHub

Re: Fook Google and its fookin' sheet

[OT] Waaaaht?! Nginx doesn’t support header ‘append’, meaning you have to do that variable dance each time?

Is there any mileage in siphoning off the repetitive bits to an include, á la this guy’s approach:

www.peterbe.com/plog/be-very-careful-with-your-add_header-in-nginx

Might mean less manual wrangling for sites that have a common set of policies, etc…. if they do indeed share anything (I haven’t checked in detail).


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#72 2021-04-16 10:21:39

gaekwad
Multi-hyphenate
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,532
GitHub

Re: Fook Google and its fookin' sheet

Bloke wrote #329874:

[OT] Waaaaht?! Nginx doesn’t support header ‘append’, meaning you have to do that variable dance each time?

Is there any mileage in siphoning off the repetitive bits to an include, á la this guy’s approach:

www.peterbe.com/plog/be-very-careful-with-your-add_header-in-nginx

Might mean less manual wrangling for sites that have a common set of policies, etc…. if they do indeed share anything (I haven’t checked in detail).

There is, yes. I haven’t found time to do it yet! Not much I want to get involved in proactively before I move house at the end of the month considering the office will be packed at up t-minus 7 days, and there’s lots of stuff to disconnect (you may recall).

The readability and maintainability of the config trumps the overall performance gain in not smashing the variables each time, but high level my plan is:

  • each policy type (and we will have more than Content Security and Permissions by this time next year, I’m sure of it) has its own text file outside the web-side directory scaffold;
  • each text file has one directive per line for readability / maintainability;
  • config rebuild takes place either ad hoc (shell script with some cat + sed magic) or scheduled;
  • config file then has much longer lines containing all the directives, and is less wieldy in a terminal session, but Nginx won’t care;

That’s the plan, anyway.

Offline

Board footer

Powered by FluxBB