Both options exist, nothing is hidden - I don’t get the point of your report.

Side note: I expect that at least csp generation will be removed from security extensions for j4 as the core tackles this part really well.

I posted this on a thread that I didn't realize was closed, so a person suggested I create a new issue, but I had no idea of the right area for this issue, so I guessed.

I haven't found anywhere in the Joomla admin to set or disable csp directives, and from the thread that I read on here, they are buried in a plugin. I went through the continual hacking of code to make a site cross browser compatible, and that is really not something I feel like doing now to the same degree. Security is something that we all should be taking seriously now, and even though my site is small, I have about 7 hack attempts daily on average. I care about not spreading malicious code!

While I look forward to J4, I won't stop using what I'm using, because it works, and I don't have to rebuild websites any longer.

I posted this on a thread

#18301 (comment)

I haven't found anywhere in the Joomla admin to set or disable csp directives, and from the thread that I read on here, they are buried in a plugin

You can find the options in the parameters of the HTTP headers plugin. They aren’t „buried“.

Security is something that we all should be taking seriously now, and even though my site is small, I have about 7 hack attempts daily on average. I care about not spreading malicious code!

Great, so do we. That’s why we have that new shiny plugin making Joomla the first major CMS shipping with a default CSP.

I won't stop using what I'm using

Nobody asked you to do so?

You can find the options in the parameters of the HTTP headers plugin. They aren’t „buried“.

It has been raised before that the configuration should be in the component and not in the plugin

It has been raised before that the configuration should be in the component and not in the plugin

Yes and It has been noted that the options get moved around when there is a clear definition what should be where in the new template etc. Maybe (I'm not sure who suggested it in the first place?) it makes sense to implement a new view in the component to configure the CSP's but this all depends on the new design which is as far as i know is not final yet.

i think it was me ;)

Yes this is possible ;)

I have 3.8.12 running, and I have searched plugins for these terms: content, security, http, header, csp, and nothing shows up as the plugin referred to. I have sorted by system and content with the same result; even looked at the 2 pages of installed plugins. I tried using the terminology first mentioned in the previous thread that was merged with this one for my search, and that is what prompted my hidden comment.

Please point me to the right plugin. I have been a Joomla user since Version 1, and really do appreciate the job that all of you do! I am also trying to contribute by participating in various forums with fixes that I have used or found. I'm not normally a participant with core developers.

Thanks!

I have 3.8.12 running

Yes this is true. The CSP Stuff is shipped with 4.0 in the core. For 3.x you need to use this plugin: https://github.com/zero-24/plg_system_httpheader/releases

(which does not include the component for auto generate the rules yet)

My host has checked the httpd.conf file, and found no directives in there, but did confirm that I have duplicate entries. The parts that concerns me is this entry:
Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval’”, and I can’t find or edit it. I’ve read that those can open the server to unpleasantries. With that CSP being the first entry, does it cancel out the second entry that I created?

Thank you, I’ll download that plugin later and see what I can do with it.

On Aug 31, 2018, at 11:00 AM, zero-24 notifications@github.com wrote:

(which does not include the component for auto generate the rules yet)

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub #21914 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/Ao2LoKhY20jhvQ4_o7IIiVfANQ1vtdQeks5uWXm8gaJpZM4WS813.

@Timeforsmilin This is not the place for support on your httpd.conf configuration

I wasn’t asking for any support on that. I was stating the fact that the duplication is coming from Joomla, as I have read that the directives can come from the httpd.conf file or htaccess.

What I did ask is if that plugin will allow me to disable the duplicate entries.

On Aug 31, 2018, at 3:14 PM, Brian Teeman notifications@github.com wrote:

@Timeforsmilin https://github.com/Timeforsmilin This is not the place for support on your httpd.conf configuration

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub #21914 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/Ao2LoJjolhlqJGQT-_TfX6GbyIn-ulbxks5uWbUygaJpZM4WS813.

I was stating the fact that the duplication is coming from Joomla,

In the version of joomla that you are using there is nothing setting any csp headers - unless you have an extension that is doing it in which case you should ask them

What I did ask is if that plugin will allow me to disable the duplicate entries.
That plugin is not part of joomla - it is a third party extension.

This issue tracker is only for issues with the core joomla code and/or developing new features for the core of joomla

Re-reading your initial post you state that you are using an extension from protegetuordenador.com and that does have the ability to create csp headers. So i you have duplicates I would start by looking there as there is nothing in Joomla 3.x that will create any.

Sorry I am closing this as it does not relate to the core joomla code and/or developing new features for the core of joomla