Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Revisiting the htaccess
Ah, good. A relatively “simple” solution then (as debugging obscure CSP issues can be rather messy…).
Tip: Chromium browsers have the most functional error console to debug CSP problems – more verbose, more clear language, and it offers potential workarounds.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
phiw13 on Codeberg
Offline
Re: Revisiting the htaccess
Coming back to thank you for your help. For now, I sorted out the security in htaccess without nonces as that will require some more work from me.
I have installed Stef’s plugin and I will do it when I can focus on it when I get some more time.
I do get two errors in the Brave console saying that
Error with Permissions-Policy header: Invalid allowlist item(*.vimeo.com) for feature fullscreen. Allowlist item must be *, self or quoted url.
Error with Permissions-Policy header: Invalid allowlist item(*.youtube.com) for feature fullscreen. Allowlist item must be *, self or quoted url.
this is what I have
Header set Permissions-Policy "accelerometer=(), autoplay=(), camera=(self), display-capture=(), encrypted-media=(), fullscreen=(self *.vimeo.com *.youtube.com), geolocation=(), gyroscope=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), clipboard-read=(), screen-wake-lock=(), sync-xhr=(self), usb=(), xr-spatial-tracking=()"Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Revisiting the htaccess
For your Permission-Policy – wrap the URL’s in quotes, at least that seems to suppress the console messages. Note: single quotes (').
fullscreen=(self '*.vimeo.com' '*.youtube.com')For your nonce-based Content-Security-Policy (aka CSP), take your time to test it all out, on a larger site with older content, there can be some hidden surprises on older pages. I think when MDN (Mozilla Developer Network) moved to a nonce-based CSP it took them 1 year. And don’t forget to test contact forms.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
phiw13 on Codeberg
Offline
Re: Revisiting the htaccess
phiw13 wrote #340774:
For your Permission-Policy – wrap the URL’s in quotes, at least that seems to suppress the console messages. Note: single quotes (
').
fullscreen=(self '*.vimeo.com' '*.youtube.com')...
Done and all errors have gone!!! Thanks so much.
For your nonce-based Content-Security-Policy (aka CSP), take your time to test it all out, on a larger site with older content, there can be some hidden surprises on older pages. I think when MDN (Mozilla Developer Network) moved to a nonce-based CSP it took them 1 year. And don’t forget to test contact forms.
I hope that it will not take me a year:)
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline