[ambal]

Hi Everyone,

This post is for users of downloadable X-Payments as users of hosted X-Payments accounts do not need to do below.

As you may know we released X-Payments v2.0.1 recently that addresses one potential issue: Google Chrome can report to Google URLs your customers visit if Chrome is configured “to help Google make Google search and Chrome better” and information about those URLs can be fetched from Google’s cache. We added special protection from that in v2.0.1, namely, now it sends special tag that forbids browsers reporting URLs to search engines.

Besides it turned out that Google Chrome works like MITM, i.e. the "hidden" content can be indexed by the browser and sent to Google, where it may be found in the cache.

We advise those who uses X-Payments v1.x-2.0.0 to do the following:

1) make sure you have robots.txt file in the X-Payments root directory. The content of the file should be as follows below:

---------------
User-agent: *
Disallow: /
---------------

2) Append the following piece of code to all .htaccess files in the X-Payments root directory:

---------------
#
# Allow robots.txt file
#
<Files "robots.txt">
Allow from all
</Files>

#
# Set robots tag to noindex
#
<ifModule mod_headers.c>
Header set X-Robots-Tag "noindex"
</ifModule>
---------------

The above changes grant search engines access to the robots.txt file and send special tag to the web-browser which denies indexing.

We are supporting this forum post by sending an advisory letter to all holders of downloadable X-Payments licenses