Quote:
Originally Posted by mvs
....You’ll love the revised email notifications builder, brand-new upgrade system with one-click rollbacks, the updated webmaster mode and template editor, and many more improvements. Download the fresh v5.4.0 and tell us how much you like it.
|
Great that this has been released as an advance pubic beta. Thanks for that.
We've downloaded it and will be taking a long good look at it over this coming weekend.
Meanwhile, one very important question? This is the default
Content Security Policy that's applied (via ~/etc/config.php) in XC 5.3.*.* and which remains like this,
unless edited / replaced by the XC store owner:
Code:
; Content-Security-Policy value
; For possible values see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
; Examples:
; content_security_policy = 'disabled' # prevent Content-Security-Policy header sending
; content_security_policy = "default-src 'self'"
; content_security_policy = "default-src 'self'; img-src *;"
content_security_policy = 'disabled'
Disappointingly, the exact same content is also provided in the XC 5.4.*.* public beta ~/etc/config.php
Code:
; Content-Security-Policy value
; For possible values see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
; Examples:
; content_security_policy = 'disabled' # prevent Content-Security-Policy header sending
; content_security_policy = "default-src 'self'"
; content_security_policy = "default-src 'self'; img-src *;"
content_security_policy = 'disabled'
"Disabled" is far short of aiding 100% site security and it does appear to have now possibly become an oversight, as this very item was raised some time ago, with the XC answer being... a forward reference to XC 5.4.*.* providing the necessary solution.
Could XC please post a tested, fully functional Content Security Policy on here (a CSP which can be used either within the site's http header or, in the ~/etc/config.php and/or the ~/etc/default.config.php - this location choice being the store owners' - as it is now) The CSP really should NOT include:
Code:
data: 'unsafe-inline' 'unsafe-eval';
but most importantly, the CSP must still allow XC5.4.*.* and/or any XC Modules, to continue to function 100% perfectly