16patsle / wordpress-csp-manager Goto Github PK

Hi, do you provide a filters (add_filter) so rules including dynamically generated nonce-xxx can be merged into the generated header ?
This could be a great feature.
thanks

Hello, we have noticed that the plugin doesn't work correctly with wp-cron

Error message:
Cannot modify header information - headers already sent
called at /htdocs/wp-content/plugins/csp-manager/src/CSP_Manager/Core.php (74)
in CSP_Manager\Core::csp_init called at /htdocs/wp-includes/class-wp-hook.php (307)
in WP_Hook::apply_filters called at /htdocs/wp-includes/class-wp-hook.php (331)
in WP_Hook::do_action called at /htdocs/wp-includes/plugin.php (474)
in do_action called at /htdocs/wp-settings.php (587)
in require_once called at /htdocs/wp-config.php (116)
in require_once called at /htdocs/wp-load.php (50)
in require_once called at /htdocs/wp-cron.php (44)

Sometimes you don't need a separate policy for logged-in users, and sometimes you only need one in general. You might also want to override a single directive for logged-in users, while inheriting the rest from frontend. We should implement some toggles that allows the user to configure such behavior.

Something like:

• Option to "use this policy instead" (maybe using select element, but check for cyclic references)
• Option to "inherit unspecificed directives from this policy" (maybe tied to the above with a checkbox, or maybe a separate select)

Would need to figure out how there relate to each other and how they work together.

When a new line character is added to one of the fields, like script-src, a php error is thrown and the content-security-policy header does not get set.

FastCGI sent in stderr: "PHP message: PHP Warning: Header may not contain more than a single header, new line detected in /home/www/www/wordpress-web/wp-content/plugins/csp-manager/src/CSP_Manager/Core.php on line 72" while reading response header from upstream, client: 192.168.1.216, server: www.example.com, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "www.example.com"

It would be great if the plugin sanitized the field when saving and removed the new line character or replaced it with a space.

Currently the default is default-src: 'self', but we could probably have a choice between three different presets.

• Self: Like currently. It could probably include other domains that might get requested in a typical core WordPress installation too (if any). At least the logged in and admin backend should be more permissive.
• Typical: Should reflect a typical WordPress installation, including popular third party plugins or domains (probably stuff like Google Fonts, Google Analytics and Jetpack, which are all commonly used), and fairly permissive for the admin backend.
• Permissive: Should accept almost everything (though maybe a few common restrictions?)

Hi, the MDN article on the Report-To header lists its type as JSON, but when I try to save a JSON string in the admin, there is some sanitizing that is removing the commas.

I believe the issue is that the Report-To header should not have the same sanitizing rules as the directives that go under the content-security-policy header.

Happy to open up a PR if you agree with the above. My suggestions are:

• Add a 'type' => 'json' paramater to the field definition, which would make the default sanitizer skip it. I guess a more correct update would remove it from the directives array, but I'm trying to think of the smallest changeset possible.
• In the pre-update hook, add a conditional to check for that type and validate the input with json_decode().

Thanks, looking forward to your thoughts.

Carlos

I got errors on frontend debug mode

Notice: Undefined index: mode in /var/www/html/wp-content/plugins/csp-manager/src/CSP_Manager/Core.php on line 54 Notice: Undefined index: mode in /var/www/html/wp-content/plugins/csp-manager/src/CSP_Manager/Core.php on line 57 Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/wp-content/plugins/csp-manager/src/CSP_Manager/Core.php:54) in /var/www/html/wp-content/plugins/csp-manager/src/CSP_Manager/Core.php on line 74 Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/wp-content/plugins/csp-manager/src/CSP_Manager/Core.php:54) in /var/www/html/wp-content/plugins/headers-security-advanced-hsts-wp/headers-security-advanced-hsts-wp.php on line 79

Issue related to this line code