Closed Fraenkiman closed 1 year ago
I have a question. When I added this, it blocked fontawesome.
Please, see attached browser warnings below:
Error with Feature-Policy header: Origin trial controlled feature not enabled: 'interest-cohort'.
Error with Permissions-Policy header: Parse of permissions policy failed because of errors reported by structured header parser. Refused to load the script 'https://kit.fontawesome.com/4c5a3ae49c.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' blob:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Hallo @DJPVMA ,
Possibly fontawesome uses FLoC. I recommend blocking FLoC by default for security reasons. This is done via the header
Permissions-Policy: interest-cohort= ()
The new feature is not yet implemented in all Chrome browsers. If the message is displayed, the browser does not know the new header. Other browsers ignore it and therefore display nothing.
From a data protection point of view, it may make sense to make fonts and icons available locally on your own web server.
If you have an alternative to harden the response header for major browsers, let me know right away. Any suggestion is welcome.
With best regards Frank
Hello, everyone,
Since some of the Flatpress users would like to offer visitors a certain level of security when visiting the FlatPress Blog, but may not know how, certain security guidelines can already be integrated into FlatPress. Headers such as Content-Security-Policy and x-Frame-Options can thwart common hacks like a clickjacking attack.
I took the liberty of adapting the defaults.php file from the current master branch. Brief description of the adjustment:
added in line 124
ini_set('session.cookie_samesite', 'Lax');
Added lines 156 to 162
A before and after test can be carried out here, among other things. I am happy to provide the adapted file for testing on a test system.
defaults.zip
Best Regards Frank