Thanks @Quy

Thanks merged @Quy

Please fix conflicts.

Done @Quy

Any blockers other than testing at this point?

@zero-24 I see no blocker and just wanted to test, but I've noticed that Drone status is not ok here, it is hanging on "Waiting for status to be reported". I have no idea why, the branch seems not to have any conflicts to the 4.0-dev branch of the CMS.

@zero-24 Maybe you can fix the hanging drone by updating your branch to latest 4.0-dev?

Done @richard67

I have tested this item ✅ successfully on 72ba37c

Drone is ok nowdays so nothing bocks testing here right @richard67 ? Maybe @Quy can mark a test as the last commits where just branch updates the test by @jmeintrup still stands.

Is script-dynamic dependent on Nonce and/or Script hashes being enabled?

Is script-dynamic dependent on Nonce and/or Script hashes being enabled?

I dont think that it is a hard requiremet but suggested for sure.

How about make it like frame-ancestors so you don't have to add an entry for it?

How about make it like frame-ancestors so you don't have to add an entry for it?

I think it should be an informed decision to enable script-dynamic or not.

My suggestion is to keep the script-dynamic switch. If enabled, strict-dynamic will be added.

Agree that should be the case right now? Or I'm missing something?

I assume you have to add a Directive entry to activate it.

I assume you have to add a Directive entry to activate it.

Ah i get where you are comming from. frame-ancestors can be compared to script-src in that case it is selfcontained. scrypt-dynamic should be passed as part of the script-src directive.

I am new to CSP so I don't understand it fully, however, I think Yes to your assessment.

I am new to CSP so I don't understand it fully, however, I think Yes to your assessment.

no problem feel free to ask when questions like that come up :)

I have tested this item ? unsuccessfully on 64897e8

the test says : notice there is no script-dynamic setting, the option in j4 says strict-dynamic
so either one or the other is inconsistent (script- or strict- ... which one? )

@opn365 this has been patched in the description now. It was an typo in the description please retest.

I have tested this item ✅ successfully on 02826b8

Test successful after description update

@zero-24 during test the new option in the com_csp is not appearing. something i'm missing?

@zero-24 during test the new option in the com_csp is not appearing. something i'm missing?

hmm can you show me the options screen? And please double check that the correct PR was applied.

@zero-24 pr correct as first section of test works

@zero-24 pr correct as first section of test works

please enable that option and configure "auto" or "custom" mode to see the new option.

@zero-24 pr correct as first section of test works

please enable that option and configure "auto" or "custom" mode to see the new option.

OK, got to the setting, activated it and tested on https://csp-evaluator.withgoogle.com/%7C
getting:

OK, got to the setting, activated it and tested on https://csp-evaluator.withgoogle.com/%7C
getting:

Have you setup the script-src and object-src? What are the settings from the component?

OK, better question how do I check for "the generated csp header."

@Bodge-IT In development tools of your browser, network analysis, then inspect the header of the packet. It's something for nerds ;-)

thanks @richard67 ,

referrer-policy | strict-origin-when-cross-origin

This what I'm looking for? Am new to CSP.

referrer-policy | strict-origin-when-cross-origin

This what I'm looking for? Am new to CSP.

At this point @zero-24 can help netter than I do.

This what I'm looking for? Am new to CSP.

Conent-security-poliy(-report-only)

Can you please post the settings you made?

com_csp:

Plugin:

headers:

@Bodge-IT In your screenshot of the headers I see: "report-to: csp-endpoint". That's one of the headers added by this PR, so success for this point.

For the second point the strict-dynamic option option, your screenshot with the com_csp options shows that this option is there. So success also for this point.

@zero-24 Am I right? Or am I missing something?

@zero-24 Am I right? Or am I missing something?

Yes @Bodge-IT in custom mode you can actually also add a custom rule ("last option") with script-src and some value and notice that the CSP header has that key value as well as script-dynamic.

I get this:

Ok found the issue please re apply this PR (revert and than apply again via patchtester) or manually apply this changes here: 304c468

Boom:

Will reset @opn365 test and request new additional test

Thanks for your support...

Thanks ?

Do we need to get tests reset?

@zero-24, can you tweak test instructions to advise what we're looking for in headers?

@Bodge-IT No need for reset, that happens automatically on GitHub with a new commit. In the tracker you might not see that. But it's here on GitHub which counts.

@opn365 Could you re apply this PR (revert, then fetch again patches and than apply again via patchtester if using patchtester, or pulling latest changes when using a git client) and then repeat your test? There have been changes made in this PR. Thanks in advance, and thanks for the previous test.

@zero-24, can you tweak test instructions to advise what we're looking for in headers?

Done thanks

I have tested this item ✅ successfully on 80d1e1b

Checked options and headers...all good.

I have tested this item ✅ successfully on 80d1e1b

Was easy as pie to follow, once Gary added all the screen shots!

Pulled in Phil to get this done...

Pulled in Phil to get this done...

Seems he did not have time and has sent his cat instead ;-)

RTC