riverside / http-headers Goto Github PK

The Report-To header returned by the plugin is not correctly formed.

A sample header as returned looks like the following (pretty for readability):

{
    "url": "https://example.com/reports",
    "group": "default",
    "max-age": 86400
}

According to Section 3.1 of the specification the JSON object should have:

• An optional group (string) member
• An optional include_subdomains (boolean) member
• A required max_age (number; positive integer) member
• A required endpoints (array) member

The url member being returned is not expected at the top-level of the JSON object, but instead should be included as a required member of each array element in the endpoints member. Each array element may also include optional priority and weight members, but this is not supported yet by the plugin.

Taking the earlier returned response the correct format would be (pretty for readability):

{
    "group": "default",
    "max_age": 86400,
    "endpoints": [
        {
            "url": "https://example.com/reports"
        }
    ]
}

The UI for configuring this header probably needs to be reworked a bit as it has the following related issues:

• A group contains one or more endpoints (as array elements). If multiple entries are provided with the same group, they should be added as separate array elements to the endpoints member of the same underlying group.
• The include_subdomains field is specific to a group and not a url. If two URLs are configured with the same group but different values for include_subdomains, this cannot be represented according to the specification.
• The same issue applies to max_age, which is specific to a group and not a url.

The radio option for the Security -> Cookie feature doesn't persist to On.

Version 1.10.4

Awesome plugin btw!

• Public-Key-Pins (depreciated)
• X-Frame-Options (covered by CSP frame-ancestors)

Hello,

I tried your plugin and it seems as it doesn't support altering requests that are sent to a WordPress blog's rss feed.

The usual url is https://some-blog.com/feed. Here is my example feed -> https://quickcoder.org/feed

Although I activated the "Access-Control-Allow-Origin" header, it doesn't work for the feed page. I still get a CORS error when using a custom app to access the content. Other pages on my blog work fine though with this app.

If you need further information, I'd be happy to supply those. Thanks!

Hey!

Thanks a lot for this plugin!

There is a new experimental option credentialless for header Cross-Origin-Embedder-Policy.
Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

Is it possible to add? I can create a PR by myself if it's needed.

thanks in advance

Great work on a fantastic plugin! Makes managing the ever-increasing number of important HTTP headers much easier.

One header the plugin doesn't currently support is the NEL (Network Error Logging) header. This header works in conjunction with the Report-To header to enable browsers to report network events such as failed requests. It's a relatively simple header, and given your existing support for Report-To I expect would be relatively simple to implement. What are your thoughts?

Some background information:

• MDN: Network Error Logging
• W3: Network Error Logging
• URIports: Why you need 'Network Error Logging' (NEL)

Hello!

We've been alerted of a vulnerability involving SQL injection on the plugin regarding version 1.18.9

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/http-headers/http-headers-1189-authenticatedadministrator-sql-injection

A few users have reported this on the Plugin support:
https://wordpress.org/support/topic/vulnerability-65/
https://wordpress.org/support/topic/http-headers-1-18-9-authenticatedadministrator-sql-injection/

Thanks for your attention!

might be helpful to users to link the header names to the appropriate MDN doc

Hi

Thanks a lot for your WordPress HTTP Headers plugin.

Can you please give us a basic setting for the CSP implentation ?
if I follow the recomendations from https://infosec.mozilla.org/guidelines/web_security#content-security-policy I block many things on a basic WP site.

for instance the /wp-admin/plugin-install.php page doesn't display the extension image anymore.

Since your plugin is for WP can you please give this basic settings for the Content Security Policy please?
thanks