Revisiting the htaccess

colak · 2025-09-28 05:03:00

phiw13 wrote #340724:

I don’t think so: My age-old test site uses the plugin mentioned by Julian to generate a nonce and set a strict CSP policy. Here is a test page^1^ with a Bandcamp audio and a YT(nocookies) video: emps.l-c-n.com/tests/inserting-an-embeded-video-or-audio-iframe. View the page source to see the presence of the nonce on each resource: script, stylesheet.

My CSP header is included (inserted first thing on each page template).

For Bandcamp you have to remove the inline style they add to their code abd style the iframe yourself ( it is only border, width and height).

–^–

¹ The page will disappear in a week or so…

Thanks so much Philippe.

I’m still lost about how I can have both the htacces directives and the page header. Can I use them together?

colak · 2025-09-28 05:40:48

Also, as the <txp:header /> is db based, how can we ensure protection at the rare times that the db is down?

Bloke · 2025-09-28 05:50:06

colak wrote #340726:

Also, as the <txp:header /> is db based, how can we ensure protection at the rare times that the db is down?

If the DB is down, surely nothing is served and you get a Database Down message? What are you trying to protect? There can’t be any denial of service if there’s no service to deny?!

phiw13 · 2025-09-28 05:50:22

colak wrote #340725:

Thanks so much Philippe.

I’m still lost about how I can have both the htacces directives and the page header. Can I use them together?

It is not difficult! :-) You don’t need that CSP block in your .htaccess file anymore.

The slightly longer answer: we are talking about securing the public part of your site with a nonce-base CSP. For this you do not need that CSP block in your .htacces file; all the work is done inside your pages and forms templates.

For the admin side (/textpattern), you still need a CSP block, unless you also want o go with a nonce-based CSP – I personally insert a .htacces inside /textpattern for that. Texpattern 4.9 has a build in method to go with strict nonce-based CSP policy. For the core code that works fine. The problem is plugins which may not be ready for that. Or are partly ready. I only use that approach on one personal site with not many plugins or plugins that are ready (and still, smd_thumbnail is only partly compatible, it has a number of inline script attribute which need some care…).

For the public side, I am only aware of one plugin causing me some grief: com_connect when using the <txp:com_connect_text hidden label="" name="Human" default="yes" expected="yes" delay="6-12" required="0" /> tag to block spammers. It uses some JS block that is inserted after page load and I have no idea how to insert my nonce attribute on it (see github.com/textpattern/com_connect/issues/94).

Also, as the <txp:header /> is db based, how can we ensure protection at the rare times that the db is down?

If the DB is down your site won’t work at all I think – at least that was the case when I had that issue

colak · 2025-09-28 06:30:53

Implemented, but I’m getting Video unavailable and the thumbnails of the videos are also not loading.

Code is in a form: <txp:header name="Content-Security-Policy" value='base-uri ''none'';connect-src ''self''; default-src ''self''; font-src ''self''; form-action ''self''; frame-ancestors ''self''; frame-src ''self'' https://player.vimeo.com https://www.youtube-nocookie.com; img-src blob: data: ''self''; manifest-src ''self''; media-src data: ''self''; object-src ''none''; script-src ''self''; script-src-attr ''none''; script-src-elem ''strict-dynamic'' ''<txp:smd_token name="csp_token" prefix="nonce-" />''; style-src ''self''; style-src-attr ''none''; style-src-elem ''self'' ''<txp:smd_token name="csp_token" prefix="nonce-" />'';' />

jakob · 2025-09-28 07:39:14

colak wrote #340729:

Implemented, but I’m getting Video unavailable and the thumbnails of the videos are also not loading.

I’m not seeing the nonce in your source code, so the first thing would be to also add the nonce as an attribute of each of your script, style and css link tags.

See that issue I linked to before and the smd_token docs. Otherwise, you may also need to permit certain image and frame-src domains.

EDIT: added.

I had a look at what I have in a site. At the very top of the page I have a form that defines some variables for the rest of the page. It’s in a hidden but processed block so it doesn’t generate any output. This is the form’s basic structure:

<txp:hide process>
    +++ Generate nonce and variable holding nonce attribute +++
    <txp:variable name="nonce"><txp:smd_token length="24" /></txp:variable>
    <txp:variable name="nonce_attr"> nonce="<txp:variable name="nonce" />"</txp:variable>

    ... rest of my page variables ...
</txp:hide>

You can then include that variable in your txp:header block.

And then in my various page templates and forms I do this:

<!-- css link -->
<link rel="stylesheet" media="screen" href="/assets/css/styles.css"<txp:variable name="nonce" />>
<!-- inline style block -->
<style<txp:variable name="nonce" />>.my-style { color: red; }</style>

<!-- javascript file -->
<script src="/assets/js/main.js"<txp:variable name="nonce" />></script>
<!-- inline javascript block -->
<script<txp:variable name="nonce" />>
    document.documentElement.className = document.documentElement.className.replace('no-js', 'js');
</script>

I’m not sure if that works with iframes too (Philippe suggests yes). If not, you may need to make explicit allow rules for that.

BTW: You can do this without the variable by writing setting <txp:smd_token name="csp_token" length="24" /> at the top in your header as you have it now and then in each of your instances, you just need to write out:

<script src="/assets/js/main.js" nonce="<txp:smd_token name="csp_token" />"></script>

and so on.

I used the variable so it outputs nothing if I have no CSP directives set, but as you know you have yours set, there’s no direct need except for the convenience of typing less.

——

On the YouTube / vimeo front, you may need to explicitly permit more source domains, e.g.

*.vimeo.com *.youtube.com *.ytimg.com *.youtube-nocookie.com *.vimeocdn.com

phiw13 · 2025-09-28 08:35:36

I do more or less the same as Julian, with the difference I don’t use variables but insert the nonce more directly, same result in the end.

BTW, if you use the build in style tab, use code like this to add you stylesheets:

<link rel="stylesheet" nonce="<txp:smd_token name='csp_token' />" href="<txp:css format='flat.url' name='stylesheet-name' />">

Adjust the format attribute to your needs, I force all the stylesheets managed trough the styles tab to disk and load from there

colak · 2025-09-28 09:22:22

What about youtube and vimeo videos? Do I need to add the nonce in their iframe?

ie. do I need <iframe loading="lazy" nonce="<txp:smd_token name='csp_token' />" etc />?

Edit: At the moment I have the header behind an <txp:if_logged_in /> until I make everything work again.

Last edited by colak (2025-09-28 09:23:40)

phiw13 · 2025-09-28 09:28:36

colak wrote #340737:

What about youtube and vimeo videos? Do I need to add the nonce in their iframe?

I never needed it, as long as your CSP policy explicitly allows them, as we (J. and me) have shown.

frame-src ''self'' https://bandcamp.com https://player.vimeo.com https://www.youtube-nocookie.com;

colak · 2025-09-28 14:59:22

I seem to be having a total block on this but I’m also having another more major issue on this and other pages as I’m now getting a console error Cookie “” has been rejected as third-party and another one saying Request to access cookie or storage on “https://www.youtube-nocookie.com/embed/M0BiDw7OvqI” was blocked because we are blocking all third-party storage access requests and content blocking is enabled. Interestingly this does not appear on every page as on this page, for example, everything loads just fine. Tested on ff 143, safari 17.5 and just in case it has to do with my cache, I also tested it on Tor browser 14.5.7.

I reverted the htaccess as I had it yesterday and disabled all nonce instances until I solve this issue.

Edited to add that I have “Enhanced Tracking Protection” set to “standard.”

Last edited by colak (2025-09-28 15:15:47)

colak · 2025-09-28 16:28:44

I may have found the issue. Some videos contain copyrighted music which although we have the right to upload on YouTube, we do not have the right to embed them. Thankfully YouTube has a tool to replace the music with a non copyrighted one and also preserve te talks. The particular video I posted above is 45’ and has under 30” of copyrighted music spread in 3 places.

I’m currently editing it to see if the issue will be resolved!

colak · 2025-09-29 03:22:25

colak wrote #340744:

I may have found the issue. Some videos contain copyrighted music which although we have the right to upload on YouTube, we do not have the right to embed them. Thankfully YouTube has a tool to replace the music with a non copyrighted one and also preserve te talks. The particular video I posted above is 45’ and has under 30” of copyrighted music spread in 3 places.

I’m currently editing it to see if the issue will be resolved!

This was solved quickly.

Textpattern CMS

Textpattern CMS support forum

#13 2025-09-28 05:03:00

Re: Revisiting the htaccess

phiw13 wrote #340724:

#14 2025-09-28 05:40:48

Re: Revisiting the htaccess

#15 2025-09-28 05:50:06

Re: Revisiting the htaccess

colak wrote #340726:

#16 2025-09-28 05:50:22

Re: Revisiting the htaccess

colak wrote #340725:

#17 2025-09-28 06:30:53

Re: Revisiting the htaccess

#18 2025-09-28 07:39:14

Re: Revisiting the htaccess

colak wrote #340729:

#19 2025-09-28 08:35:36

Re: Revisiting the htaccess

#20 2025-09-28 09:22:22

Re: Revisiting the htaccess

#21 2025-09-28 09:28:36

Re: Revisiting the htaccess

colak wrote #340737:

#22 2025-09-28 14:59:22

Re: Revisiting the htaccess

#23 2025-09-28 16:28:44

Re: Revisiting the htaccess

#24 2025-09-29 03:22:25

Re: Revisiting the htaccess

colak wrote #340744:

Board footer