Proxy triggers Mozilla observatory warning related to Subresource Integrity (script loaded using // instead of https)

plausible / wordpress

Plausible Analytics WordPress plugin

https://plausible.io/wordpress-analytics-plugin

MIT License

52 stars 26 forks source link

Proxy triggers Mozilla observatory warning related to Subresource Integrity (script loaded using // instead of https) #157

Closed oldrup closed 9 months ago

oldrup commented 1 year ago

Hey. During my WP 6.3 related security checkup, I noticed that my Mozilla Observatory score suffered a big hit from rating B to F

Before:

After:

According to Mozilla, the culprit is, and I quote: "Subresource Integrity (SRI) not implemented, and external scripts are loaded over HTTP or use protocol-relative URLs via src="//...""

Observatory only triggers the warning, when Plausible and its proxy is enabled. That's likely because it addresses the "secret script" using relative URLs:

Proxy code in HTML:

I don't know if it's possible to just use HTTPS, assuming web admins using Plausible proxy, do have their certificates in place, or?

I think this should be reproducible - it is on my sites. Not critical, will just disable Proxy for now - but I really like the feature.

Dan0sz commented 1 year ago

Oof! Yes, we used protocol relative URLs, to avoid a WordPress related quirk that sometimes (e.g. when using a reverse proxy in Nginx) the is_ssl() check fails and it'll enqueue the script using non-SSL URLs.

But, in all honesty, I wasn't aware of this check.

I'll add some extra checks, so https:// is used if is_ssl() succeeds. Something like that.

oldrup commented 11 months ago

Just curious - is there anything I can to do help here? Testing any ideas?

Dan0sz commented 9 months ago

Hi!

This is fixed in the next release. The next release will no longer use protocol relative URLs.

oldrup commented 9 months ago

Hey! First, congratulations on the new release - very elegant 🎉

But, I must admit, I'm still experiencing poor ratings from Mozilla Observatory with proxy enabled, and the script appears, on my installation, to be loaded via a relative URL still. Screenshot from oldrup.dk with Plausible plugin 2.0.1 installed and proxy enabled

Mozilla observatory grade for oldrup.dk: https://observatory.mozilla.org/analyze/oldrup.dk

On another site of mine, oldrup.net, the proxy is disabled, and the score is better: https://observatory.mozilla.org/analyze/oldrup.net

I did all the disabling cache, reloading, re-testing a couple of times.
SSL is, of course, enabled, and WordPress site health, is, well, 100% healthy.

Any ideas?

Dan0sz commented 9 months ago

Just to be sure, can you disable and enable the Proxy? Perhaps the old, relative URLs are still stored in the DB.

oldrup commented 9 months ago

Uh. @Dan0sz that appears to be the trick. As I actually reinstalled the Plausible 2.0.3 plugin entirely, and completed the entire onbording experience - which is very well done btw - I assumed all settings were cleared.

But toggling the proxy option off and on again, did the trick!

Screenshot: script now loaded from absolute https:// url:

And Mozilla is much happier (getting above B+ with WordPress is hard)

And Hardenize is happy too:

It's nice to be able to demonstrate that we can offer adequate statistics while honoring people's privacy, have great performance and good security.

Thanks for the help!