search

mozilla / http-observatory-website

Mozilla Observatory (Website)
https://observatory.mozilla.org/
Mozilla Public License 2.0
307 stars 55 forks source link

SRI check on WP, HSTS site #259

Open churchthecat opened 3 years ago

churchthecat commented 3 years ago

I get the following error: Subresource Integrity (SRI) not implemented, and external scripts are loaded over HTTP or use protocol-relative URLs via src="//..." for site: operalogg.com and -50 points. Not sure how to fix since SRI is hard to do on WP. Everything is loaded over HTTPS. remains that the following are relative URLs

Now I changed the script tag in the theme to (adding https:):

cleaned cache but no changes in head when checking in console.

The CDN is integrated in WP-rocket and no option to force absolute URL. Tried better search and replace plugin, but that did not work. Any Idea? I need to pass this score, everything is loaded securely so I don't understand why relative URLs should be such an issue?

floatingatoll commented 3 years ago

src=// is vulnerable to downgrade attacks. Please use src=https:// instead. Ancient browsers used to warn when https content was embedded in a page; they no longer do, so it’s no longer necessary.

Unfortunately it sounds like you do not control the component in question; I recommend contacting their support and asking them to correct the issue. They're welcome to comment here if they have questions or concerns.

On Thu, Sep 16, 2021 at 07:05 churchthecat @.***> wrote:

I get the following error: Subresource Integrity (SRI) not implemented, and external scripts are loaded over HTTP or use protocol-relative URLs via src="//..." for site: operalogg.com and -50 points. Not sure how to fix since SRI is hard to do on WP. Everything is loaded over HTTPS. remains that the following are relative URLs

Now I changed the script tag in the theme to (adding https:):

cleaned cache but no changes in head when checking in console.

The CDN is integrated in WP-rocket and no option to force absolute URL. Tried better search and replace plugin, but that did not work. Any Idea? I need to pass this score, everything is loaded securely so I don't understand why relative URLs should be such an issue?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/http-observatory-website/issues/259, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAWUDDIVZCTUDC7KOKKT5TUCH2RFANCNFSM5EE27TSQ .

churchthecat commented 3 years ago

Yea thing is site is blocked by insecure requests by cloudflare, CSP and HSTS. I have tried several ways. Found the Google adscript in Divi settings and changed to Https , however headers are still src:// for that. The CDN is also src:// tried search&replace by plugin. Just got 0 on dry run there. I have a script for changing by SQL query but dont want to mess anything up by using the wrong query. How are src:// vurneble to attack on an Https only site? Really want to understand this, first time I encountered this issue.

On 16 September 2021 15:30:19 UTC, floatingatoll @.***> wrote:

src=// is vulnerable to downgrade attacks. Please use src=https:// instead.

Ancient browsers used to warn when https content was embedded in a page;

they no longer do, so it’s no longer necessary.

On Thu, Sep 16, 2021 at 07:05 churchthecat @.***> wrote:

I get the following error:

Subresource Integrity (SRI) not implemented, and external scripts are

loaded over HTTP or use protocol-relative URLs via src="//..."

for site: operalogg.com

and -50 points.

Not sure how to fix since SRI is hard to do on WP. Everything is loaded

over HTTPS. remains that the following are relative URLs

Now I changed the script tag in the theme to (adding https:):

<script async src="

https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js">

cleaned cache but no changes in head when checking in console.

The CDN is integrated in WP-rocket and no option to force absolute URL.

Tried better search and replace plugin, but that did not work.

Any Idea? I need to pass this score, everything is loaded securely so I

don't understand why relative URLs should be such an issue?

You are receiving this because you are subscribed to this thread.

Reply to this email directly, view it on GitHub

https://github.com/mozilla/http-observatory-website/issues/259, or

unsubscribe

https://github.com/notifications/unsubscribe-auth/AAAWUDDIVZCTUDC7KOKKT5TUCH2RFANCNFSM5EE27TSQ

.

-- > You are receiving this because you authored the thread.

Reply to this email directly or view it on GitHub:

https://github.com/mozilla/http-observatory-website/issues/259#issuecomment-921006218 -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

churchthecat commented 3 years ago

Thanks for the clarification in edit. It seems I got the error on another page as well. I assume that the possibility for an downgrade attack, with current settings in place are non-existent. Well at least until someone hacks google maybe :). So I will just leave this for now. But I have to say, it does seem a bit excessive to dock 50 points on the test in this case.