X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   X-Payments issues & questions (https://forum.x-cart.com/forumdisplay.php?f=50)
-   -   Beware: Google Chrome can report URLs and hidden forms to Google (https://forum.x-cart.com/showthread.php?t=68503)

ambal 01-20-2014 07:48 AM

Beware: Google Chrome can report URLs and hidden forms to Google
 
Hi Everyone,

This post is for users of downloadable X-Payments as users of hosted X-Payments accounts do not need to do below.

As you may know we released X-Payments v2.0.1 recently that addresses one potential issue: Google Chrome can report to Google URLs your customers visit if Chrome is configured “to help Google make Google search and Chrome better” and information about those URLs can be fetched from Google’s cache. We added special protection from that in v2.0.1, namely, now it sends special tag that forbids browsers reporting URLs to search engines.

Besides it turned out that Google Chrome works like MITM, i.e. the "hidden" content can be indexed by the browser and sent to Google, where it may be found in the cache.

We advise those who uses X-Payments v1.x-2.0.0 to do the following:

1) make sure you have robots.txt file in the X-Payments root directory. The content of the file should be as follows below:

---------------
User-agent: *
Disallow: /
---------------

2) Append the following piece of code to all .htaccess files in the X-Payments root directory:

---------------
#
# Allow robots.txt file
#
<Files "robots.txt">
Allow from all
</Files>

#
# Set robots tag to noindex
#
<ifModule mod_headers.c>
Header set X-Robots-Tag "noindex"
</ifModule>
---------------

The above changes grant search engines access to the robots.txt file and send special tag to the web-browser which denies indexing.

We are supporting this forum post by sending an advisory letter to all holders of downloadable X-Payments licenses

cflsystems 01-20-2014 10:29 AM

Re: Beware: Google Chrome can report URLs and hidden forms to Google
 
Thanks for the warning Alex. I personally never turn on this or similar options in any browser/software - as it sends way to much info and Google is using it not only to improve or fix browser but also for advertising... - I know many users don't even pay attention to this...

While on the subject - any "hidden" content in XC pages that should not be allowed to cache? Any workaround for this?

ambal 01-20-2014 09:39 PM

Re: Beware: Google Chrome can report URLs and hidden forms to Google
 
I've posted the workaround in my first message. Basically this is instruction for Chrome "send nothing to your daddy". I hope Google does follow its own rules.
Potentially credit card data can be "cached" by Google, but we haven't found any evidence to that yet. I think Google is smart enough not to cache PANs and security codes in hidden forms but who knows what can happen in the future, so I advise you strongly to do the above.

Perhaps I am too careful about this, but I prefer to avoid any sort of trouble when it comes down to credit card processing.

Stizerg 01-20-2014 09:49 PM

Re: Beware: Google Chrome can report URLs and hidden forms to Google
 
when I made this changes my x-payments stopped to work in all browsers

ambal 01-21-2014 01:00 AM

Re: Beware: Google Chrome can report URLs and hidden forms to Google
 
Quote:

Originally Posted by Stizerg
when I made this changes my x-payments stopped to work in all browsers


Roll back the changes and make sure your web server allows and handles .htaccess files correctly.


All times are GMT -8. The time now is 07:25 AM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.