Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Beware: Google Chrome can report URLs and hidden forms to Google

 
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions
 
Thread Tools
  #1  
Old 01-20-2014, 07:48 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,119
 

Exclamation Beware: Google Chrome can report URLs and hidden forms to Google

Hi Everyone,

This post is for users of downloadable X-Payments as users of hosted X-Payments accounts do not need to do below.

As you may know we released X-Payments v2.0.1 recently that addresses one potential issue: Google Chrome can report to Google URLs your customers visit if Chrome is configured “to help Google make Google search and Chrome better” and information about those URLs can be fetched from Google’s cache. We added special protection from that in v2.0.1, namely, now it sends special tag that forbids browsers reporting URLs to search engines.

Besides it turned out that Google Chrome works like MITM, i.e. the "hidden" content can be indexed by the browser and sent to Google, where it may be found in the cache.

We advise those who uses X-Payments v1.x-2.0.0 to do the following:

1) make sure you have robots.txt file in the X-Payments root directory. The content of the file should be as follows below:

---------------
User-agent: *
Disallow: /
---------------

2) Append the following piece of code to all .htaccess files in the X-Payments root directory:

---------------
#
# Allow robots.txt file
#
<Files "robots.txt">
Allow from all
</Files>

#
# Set robots tag to noindex
#
<ifModule mod_headers.c>
Header set X-Robots-Tag "noindex"
</ifModule>
---------------

The above changes grant search engines access to the robots.txt file and send special tag to the web-browser which denies indexing.

We are supporting this forum post by sending an advisory letter to all holders of downloadable X-Payments licenses
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager

Last edited by ambal : 01-20-2014 at 07:51 AM.
Reply With Quote

The following 5 users thank ambal for this useful post:
ADDISON (01-20-2014), carpeperdiem (01-20-2014), cflsystems (01-20-2014), Duramax 6.6L (01-20-2014), Stizerg (01-20-2014)
  #2  
Old 01-20-2014, 10:29 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,190
 

Default Re: Beware: Google Chrome can report URLs and hidden forms to Google

Thanks for the warning Alex. I personally never turn on this or similar options in any browser/software - as it sends way to much info and Google is using it not only to improve or fix browser but also for advertising... - I know many users don't even pay attention to this...

While on the subject - any "hidden" content in XC pages that should not be allowed to cache? Any workaround for this?
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #3  
Old 01-20-2014, 09:39 PM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,119
 

Default Re: Beware: Google Chrome can report URLs and hidden forms to Google

I've posted the workaround in my first message. Basically this is instruction for Chrome "send nothing to your daddy". I hope Google does follow its own rules.
Potentially credit card data can be "cached" by Google, but we haven't found any evidence to that yet. I think Google is smart enough not to cache PANs and security codes in hidden forms but who knows what can happen in the future, so I advise you strongly to do the above.

Perhaps I am too careful about this, but I prefer to avoid any sort of trouble when it comes down to credit card processing.
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
Reply With Quote
  #4  
Old 01-20-2014, 09:49 PM
 
Stizerg Stizerg is offline
 

Senior Member
  
Join Date: Apr 2008
Location: Sydney, Australia
Posts: 195
 

Default Re: Beware: Google Chrome can report URLs and hidden forms to Google

when I made this changes my x-payments stopped to work in all browsers
__________________
X-Cart Gold Plus 4.6.6
A lot of custom mods
Reply With Quote
  #5  
Old 01-21-2014, 01:00 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,119
 

Default Re: Beware: Google Chrome can report URLs and hidden forms to Google

Quote:
Originally Posted by Stizerg
when I made this changes my x-payments stopped to work in all browsers

Roll back the changes and make sure your web server allows and handles .htaccess files correctly.
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
Reply With Quote
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 06:43 AM.

   

 
X-Cart forums © 2001-2020