hayobethlehem

never mind. apparently, when uninstalling the friends plugin, it leaves a lot of data in the options table, which has the tendency to corrupt and break the friends plugin on reinstall.

my mistake, after some testing, there seems to be no conflict, just the Friends plugin acting weird. Consider this resolved.

Breeze on:

HTTP/1.1 200 OK =>
Date => Mon, 04 Sep 2023 11:30:21 GMT
Server => Apache
Cache-Provider => CLOUDWAYS-CACHE-DE
Content-Encoding => gzip
Vary => Accept-Encoding,User-Agent
Strict-Transport-Security => max-age=31536000; includeSubdomains; preload
X-Frame-Options => SAMEORIGIN
Upgrade => h2c
Connection => Upgrade, close
Last-Modified => Mon, 04 Sep 2023 11:28:25 GMT
Content-Length => 4798
Cache-Control => max-age=3600
Expires => Mon, 04 Sep 2023 12:30:21 GMT
X-Clacks-Overhead => GNU Terry Pratchett
Access-Control-Allow-Methods => GET,PUT,POST,DELETE
X-XSS-Protection => 1; mode=block
X-Content-Type-Options => nosniff
Referrer-Policy => strict-origin
Access-Control-Allow-Origin => null
Access-Control-Allow-Headers => Content-Type, Authorization
Cross-Origin-Embedder-Policy => unsafe-none
Cross-Origin-Opener-Policy => same-origin
Cross-Origin-Resource-Policy => cross-origin
Permissions-Policy => accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=, display-capture=(self), document-domain=(self), encrypted-media=(self), fullscreen=, geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), picture-in-picture=(self), publickey-credentials-get=(self), screen-wake-lock=(), sync-xhr=(self), usb=(self), web-share=(self), xr-spatial-tracking=(self)
Content-Type => text/html; charset=utf-8

Breeze off:

HTTP/1.1 200 OK =>
Date => Mon, 04 Sep 2023 11:31:36 GMT
Server => Apache
Link => ; rel=shortlink
Content-Security-Policy => base-uri 'self';connect-src 'self';default-src 'self';frame-ancestors 'self';frame-src 'self';img-src data: 'self' https://i.gr-assets.com/images/S/compressed.photo.goodreads.com/books/ https://pxscdn.com;form-action 'self';font-src 'self';media-src 'self';object-src 'none';script-src 'strict-dynamic';style-src 'self';
Strict-Transport-Security => max-age=31536000; includeSubdomains; preload
X-Frame-Options => SAMEORIGIN
Vary => User-Agent,Accept-Encoding
Upgrade => h2c
Connection => Upgrade, close
Cache-Control => max-age=3600
Expires => Mon, 04 Sep 2023 12:31:36 GMT
X-Clacks-Overhead => GNU Terry Pratchett
Access-Control-Allow-Methods => GET,PUT,POST,DELETE
X-XSS-Protection => 1; mode=block
X-Content-Type-Options => nosniff
Referrer-Policy => strict-origin
Access-Control-Allow-Origin => null
Access-Control-Allow-Headers => Content-Type, Authorization
Cross-Origin-Embedder-Policy => unsafe-none
Cross-Origin-Opener-Policy => same-origin
Cross-Origin-Resource-Policy => cross-origin
Permissions-Policy => accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=, display-capture=(self), document-domain=(self), encrypted-media=(self), fullscreen=, geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), picture-in-picture=(self), publickey-credentials-get=(self), screen-wake-lock=(), sync-xhr=(self), usb=(self), web-share=(self), xr-spatial-tracking=(self)
Content-Type => text/html; charset=UTF-8

well, strict csp headers aren’t a good idea in wordpress backend. So best place is in the template header.

Respecting existing headers seems like a best practice to me, also very little performance gain to get there.

1. yeah that’s also one of the downsides. Ideally you’re able to manage what’s added and what’s not.
2. I’m not a fan of inline event handlers, i do see there are cases for it. In that sense it might be an idea to use the js method optionally. so if you don’t use those handlers, you can switch it off. same goes for 3.

I’d love to have something like a strict/clean mode, and a more permissive mode where it works with extra features you put in. But there’s probably not a big market for the strict mode ??

I’d recommend having a look at how https://www.ads-software.com/plugins/csp-antsst/ this one works. The core functionality of that plugin seems to work fine, it’s just that it deletes any existing csp, and does not allow any editing of additional headers. Also, no response or updates. So if you can find some way to reverse engineer what’s going on there (sorry, not a proper php programmer myself).

Ah, that is a bit unfortunate, and thus a hard no on the plugin for me. A bit surprising, it uses JS and doesn’t do it in PHP. Thanks for clarifying, though!

<script type="text/javascript" src="https://hayobethlehem.nl/wp-includes/js/jquery/jquery.min.js" id="jquery-core-js"></script>
<script type="text/javascript" src="https://hayobethlehem.nl/wp-includes/js/jquery/jquery-migrate.min.js" id="jquery-migrate-js"></script>
<script type="text/javascript" src="https://hayobethlehem.nl/wp-content/plugins/no-unsafe-inline/includes/js/no-unsafe-inline-prefilter-override.min.js" id="no-unsafe-inline_jquery-htmlprefilter-override-js"></script>
<script type="text/javascript" src="https://hayobethlehem.nl/wp-content/plugins/no-unsafe-inline/includes/js/no-unsafe-inline-fix-style.min.js" id="no-unsafe-inline_fix_setattribute_style-js"></script>
<script type="text/javascript" src="https://hayobethlehem.nl/wp-content/plugins/no-unsafe-inline/includes/js/no-unsafe-inline-mutation-observer.min.js" id="no-unsafe-inline_mutation-observer-js"></script>

this all appears when i switch no-unsafe-inline on.

i actually don’t get that script src element warning in dev tools. that’s odd. how did you get to see it?

as long as the js file comes from the same domain there shouldn’t be an issue.

regardless, the scripts.js the plugin is supposed to put in the footer never shows up.

• This reply was modified 1 year, 10 months ago by hayobethlehem. Reason: misread something
• This reply was modified 1 year, 10 months ago by hayobethlehem.

thanks. I disabled autoptimize. Also tried just putting the js code in analytics.js and made an empty pageviews.php but neither of that had any effect.

and to correct the orginal post, it’s the galleries, not the albums.

I’m sad to say this problem has returned. I now have 2 login accounts that don’t render the the interface ??

I actually checked the translations, and they exist in the language files, they just don’t seem to appear in the interface. screenshot example: https://wassenaar.news/bin/Screenshot2023-01-10083932.jpg

https://wassenaar.news/bin/Screenshot2023-01-10084228.jpg

just checking, did you get my email?

extra info; i’m on the latest version. I have tried deactivating and installing again, but it did nothing. I have checked my git for the last week, but couldn’t find anything i comitted to my template that could have such an effect. also i’m running php 8.1 (but it worked before on that).

• This reply was modified 2 years ago by hayobethlehem.