SSL Labs ScoreSecurityHeaders.io ScoreHSTS Preloaded

Log in to participate

There is no cost to join RicheyWeb, and membership is a requirement to submit bug reports and participate in the support forums.

× Extension Discussions

CSP Plugin

More
1 month 2 weeks ago #3996 by Deckard
CSP Plugin was created by Deckard
Hello,

Does the CSP plugin also gives me the possibility to set specific rules for certain pages?
Problem is that the Joomla 2FA function uses a data URL image and usually you would block that with a CSP but for that specific page I would want to relax the rule.

Thank you

Carsten

Please Log in or Create an account to join the conversation.

More
1 month 2 weeks ago #3997 by michael
Replied by michael on topic CSP Plugin
No, but that's an interesting idea. Would you rather see it as a content plugin (something like a tag in the article - like this {csp imagesrc=*.imageserver.com scriptsrc=*.scriptserver.com}

Or, something like a field within the article properties that looked like the plugin configuration.

Please Log in or Create an account to join the conversation.

More
1 month 1 week ago #4011 by Deckard
Replied by Deckard on topic CSP Plugin
Hi,

For security purposes I'd rather not see this as an article option, but rather have a central place (e.g. in component or in the plugin) where I can set a general CSP rule and then define certain URL paths (regex) where I set a custom rule for each of the exempt URLs.
Now I have to do some weird nginx workarounds (becaue I set the header currently by the nginx webserver).

Please Log in or Create an account to join the conversation.

More
1 month 1 week ago #4012 by michael
Replied by michael on topic CSP Plugin
The problem with doing it in the plugin is page matching. Because an article might be displayed in a blog layout, or the article layout - regex wouldn't necessarily work. Those URLs could be radically different, and it wouldn't necessarily work to assign by itemId because you would need a menu item for each article with custom settings.

I can see the security implications of using a content plugin tag, but what about article options that are restricted to specific access levels? I could allow configuration of the access levels within the plugin, and then you could make changes to CSP while editing the specific articles where the changes need to be made....but only if your access level is allowed.

How does that sound? I'm trying to make this as accessible as possible, because not everyone can grasp regex and at the end of the day, I'm trying to make this available to the broadest audience possible.

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to edit your message.
Powered by Kunena Forum