View Single Post
  #3  
Old 04-17-2019, 01:04 AM
 
Triple A Racing Triple A Racing is offline
 

X-Wizard
  
Join Date: Jul 2008
Location: Manchester UK
Posts: 1,028
 

Default Re: X-Cart 5.4.0 Public Beta is out

Quote:
Originally Posted by mvs
....You’ll love the revised email notifications builder, brand-new upgrade system with one-click rollbacks, the updated webmaster mode and template editor, and many more improvements. Download the fresh v5.4.0 and tell us how much you like it.
Great that this has been released as an advance pubic beta. Thanks for that.
We've downloaded it and will be taking a long good look at it over this coming weekend.

Meanwhile, one very important question? This is the default Content Security Policy that's applied (via ~/etc/config.php) in XC 5.3.*.* and which remains like this, unless edited / replaced by the XC store owner:

Code:
; Content-Security-Policy value ; For possible values see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy ; Examples: ; content_security_policy = 'disabled' # prevent Content-Security-Policy header sending ; content_security_policy = "default-src 'self'" ; content_security_policy = "default-src 'self'; img-src *;" content_security_policy = 'disabled'
Disappointingly, the exact same content is also provided in the XC 5.4.*.* public beta ~/etc/config.php

Code:
; Content-Security-Policy value ; For possible values see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy ; Examples: ; content_security_policy = 'disabled' # prevent Content-Security-Policy header sending ; content_security_policy = "default-src 'self'" ; content_security_policy = "default-src 'self'; img-src *;" content_security_policy = 'disabled'

"Disabled" is far short of aiding 100% site security and it does appear to have now possibly become an oversight, as this very item was raised some time ago, with the XC answer being... a forward reference to XC 5.4.*.* providing the necessary solution.

Could XC please post a tested, fully functional Content Security Policy on here (a CSP which can be used either within the site's http header or, in the ~/etc/config.php and/or the ~/etc/default.config.php - this location choice being the store owners' - as it is now) The CSP really should NOT include:

Code:
data: 'unsafe-inline' 'unsafe-eval';
but most importantly, the CSP must still allow XC5.4.*.* and/or any XC Modules, to continue to function 100% perfectly
__________________
Dev Store & Live Store XC Business 5.4.1.35
Server; Ubuntu 22.04.2 LTS (HWE 6.2.0.26.26 Kernel)) / Plesk Obsidian
Nginx 1.20.4 / Apache 2.4.52 (Ubuntu Backported) / MariaDB 10.11.4 / PHP 7.4.33
Reply With Quote