BC Game top,Jili slot 鈫?boxing king apk download old version.REGISTER NOW GET FREE 888 PESOS REWARDS!

Forum Replies Created

Viewing 10 replies - 1 through 10 (of 10 total)

Forum: Plugins
In reply to: [No unsafe-inline] XML-RPC possible?
Thread Starter MartinBY
(@canoaby)

9 months, 4 weeks ago
Hi, for all trying to enforce security using CSP: the use of xmlrpc is a serious security problem within WP!

For me I enforce xmlrpc.php using DynDNS allow rules within .htaccess that is updated by following script via cron jobs: GitHub – KarlAustin/htaccessDynamicIPs: A little tool for querying DynamicDNS hostnames and inserting the IPs in to a .htaccess file.

This script is using 3 files (

app.cfg.php (a configuration for the script)

dynamic.php (the script itself)

hostnames.dyn (a list of hostnames for dynv6 accounts like “dns1.dynv6.net” “dns2.dynv6.net” … each DNS a line).

my cronjob is setted following:(/usr/local/php83/bin/php -f ‘your path to script folder/dynamic.php’ — ‘–htaccess’ ‘/your path to htaccess file/.htaccess’ ‘–hostnames’ ‘your path to script folder/hostnames.dyn’ ‘–ipv6’ ‘–backup’)

The HTACCESS rule to protect xmlrpc is: (example with replaced IP)
<file "xmlrpc.php" #* DYNAMIC IPS -- START *# <RequireAny> #- dns1.dynv6.net Require ip xxx.xxx.xxx.xxx #- dns2.dynv6.net Require ip xxx.xxx.xxx.xxx #- dns3.dynv6.net Require ip xxx.xxx.xxx.xxx #- dns1.dynv6.net Require ip xxxx:xxxx:xxxx:xxx:xxx:xxx:xxx:xxxx #- dns2.dynv6.net Require ip xxxx:xxxx:xxxx:xxx:xxx:xxx:xxx:xxxx #- dns3.dynv6.net Require ip xxxx:xxxx:xxxx:xxx:xxx:xxx:xxx:xxxx </RequireAny> #* DYNAMIC IPS -- END *# </files>
The script looks for the start- and endmarks (within #* *# bracket) and creates a list of allowed ip addresses managed by dynv6 service (Require IP).
Forum: Plugins
In reply to: [No unsafe-inline] XML-RPC possible?

Thread Starter MartinBY
(@canoaby)

9 months, 4 weeks ago

@mociofiletto, thank you very much! Yes if works (with activated CSP, without collecting mode) very well. Best regards, Martin

Forum: Plugins
In reply to: [No unsafe-inline] Dashboard lost Stylesheet

Thread Starter MartinBY
(@canoaby)

10 months ago

I got it solved only by deactivating both options for SRI…

Forum: Plugins
In reply to: [No unsafe-inline] XML-RPC possible?

Thread Starter MartinBY
(@canoaby)

10 months ago

I use following App from Play store “https://play.google.com/store/apps/details?id=com.jetpack.android“, it uses the xml-rpc.php to manage content.

my Webpage in preparation: https://goerres-web.de

Forum: Plugins
In reply to: [No unsafe-inline] Dashboard lost Stylesheet

Thread Starter MartinBY
(@canoaby)

10 months ago

Hi Giuseppe, thank you for your quick response!

Weanwhile the Dashboard is visualized very well and I collect more details for whitelisting.

Actually only wp-login does not show the styles and images as expected (also when I deactivated plugins for hiding it). Any hint for this?

Forum: Plugins
In reply to: [No unsafe-inline] Dashboard lost Stylesheet

Thread Starter MartinBY
(@canoaby)

10 months ago

OK, now I understand:

within ‘settings/Misc options’ I deactivated ‘Enforce policy in admin’ after this, all parts of Dashboard are visible now.

Forum: Themes and Templates
In reply to: [NSFW] [Graphene] Customizer does not publish –> ERROR

Thread Starter MartinBY
(@canoaby)

4 years, 7 months ago

Hi, after reading some web articles, I found the reason: after deactivating the Plugin Autoptimize and reinstalling the theme:

-The theme update/Publishing works fine
-The response of the Website is much faster

Forum: Plugins
In reply to: [Complianz - GDPR/CCPA Cookie Consent] Content-Security-Policy (CSP) & X-Frame-Options blocks POPUP

Thread Starter MartinBY
(@canoaby)

4 years, 7 months ago

@rogierlankhorst , yes I agree and different browser react different on CSPs. So Safari on Ipad let me enter Matomo login but Edge on Win10 not.

Same in WP admin mode using the theme customizer:
Using CSP including “frame-ancestors ‘self’ ‘unsafe-inline’ ‘unsafe-eval’” IPAD shows previews of changes, Edge blocks it for preview. So I have to remove frame-ancestors from CSP.

Forum: Plugins
In reply to: [Complianz - GDPR/CCPA Cookie Consent] Content-Security-Policy (CSP) & X-Frame-Options blocks POPUP

Thread Starter MartinBY
(@canoaby)

4 years, 7 months ago

Hi Aert,

thank you very much for your quick and profund response.

Changing the policy let all work fine but reduced the security level.

Here my actual policy
default-src ‘none’ ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; object-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; img-src ‘self’ https://goerres-web.de/piwik https://s.w.org https://www.ads-software.com; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; frame-ancestors ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; frame-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’;

Best Regards,
Martin

Forum: Plugins
In reply to: [Complianz - GDPR/CCPA Cookie Consent] Content-Security-Policy (CSP) & X-Frame-Options blocks POPUP

Thread Starter MartinBY
(@canoaby)

4 years, 7 months ago

Hi Aert,

no, I added following within .htaccess: (mostly as the given example by Matomo)

Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Content-Security-Policy: default-src ‘self’ https://cookiedatabase.org; script-src ‘self’ https://goerres-web.de/piwik https://cookiedatabase.org; img-src ‘self’ https://cookiedatabase.org https://goerres-web.de/piwik https://s.w.org https://www.ads-software.com; style-src ‘self’; frame-ancestors ‘self’; frame-src ‘self’;
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Referrer-Policy: no-referrer

I tested severel variants, but also Matomo is getting problems when trying to add the Opt-out code. When using CSP Matomos login as admin fails also.

When running a scan on https://webbkoll.dataskydd.net/de the quality result is perfect.

Best regards,
Martin

Viewing 10 replies - 1 through 10 (of 10 total)