danielfpaiva 0 Posted September 6, 2020 Report Share Posted September 6, 2020 Boa noite, Neste momento encontro-me a tentar definir no ficheiro .htaccess a questão relacionada com http headers security mas estou a ter um problema relacionado com a Content-Security-Policy. No meu ficheiro tenho o seguinte conjunto de regras Header set Cache-Control "no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires 0 Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "DENY" Header set X-Content-Type-Options nosniff Header always set Referrer-Policy "same-origin" Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://coilcrypto.com" Header add Content-Security-Policy "default-src 'self'" Header add Content-Security-Policy "script-src 'self' https://cdn.jsdelivr.net/ cdn.amcharts.com" Header add Content-Security-Policy "style-src 'self' fonts.googleapis.com use.fontawesome.com" Header set Strict-Transport-Security "max-age=31536000" env=HTTPS Quando carrego o site com estas linhas todas os ficheiros css e js externos não são carregados. No entanto quando retiro as linhas relacionada com Content-Security-Policy os ficheiros passam a ser carregados. Será que me conseguem ajudar? Link to post Share on other sites
Rui Carlos 367 Posted September 6, 2020 Report Share Posted September 6, 2020 Estás a definir múltiplos headers Content-Security-Policy. Experimenta colocar todas as instruções num só header. Header add Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net/ cdn.amcharts.com; style-src 'self' fonts.googleapis.com use.fontawesome.com" Rui Carlos Gonçalves Link to post Share on other sites
danielfpaiva 0 Posted September 7, 2020 Author Report Share Posted September 7, 2020 Ao colocar uma única linha <IfModule mod_headers.c> Header set Cache-Control "no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires 0 Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "DENY" Header set X-Content-Type-Options nosniff Header always set Referrer-Policy "same-origin" Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://coilcrypto.com" Header set Strict-Transport-Security "max-age=31536000" env=HTTPS Header add Content-Security-Policy "default-src 'self'; script-src 'self' cdn.jsdelivr.net cdn.amcharts.com; style-src 'self' fonts.gstatic.com http://fonts.googleapis.com/ use.fontawesome.com" </IfModule> continuo a ter o problema de alguns ficheiros não serem carregados. Fica aqui uns exemplos: Request URL: https://fonts.gstatic.com/s/montserrat/v14/JTURjIg1_i6t8kCHKm45_cJD3gTD_u50.woff2 Referrer Policy: strict-origin-when-cross-origin Provisional headers are shown Origin: http://localhost Referer: https://fonts.googleapis.com/ Também que reparei que agora comecei a ter um warning sobre SameSite cookies e nem faço ideia do que isto é. Citação A cookie associated with a cross-site resource at http://amcharts.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. Será que alguém sabe o que isto pode ser? Link to post Share on other sites
M6 150 Posted September 8, 2020 Report Share Posted September 8, 2020 O "SameSsite" previne os browsers de enviarem os cookies em pedidos entre sites. O objetivo é mitigar o risco de falhas/fugas de informação através dos cookies em pedidos entre sites. Se quiseres saber mais sobre isto dá um pulo a https://web.dev/samesite-cookies-explained/ Quanto ao Content-Security-Policy, dá uma olhadela aqui https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/Content-Security-Policy, em particular na secção de múltiplas políticas de segurança e nos exemplos. 10 REM Generation 48K! 20 INPUT "URL:", A$ 30 IF A$(1 TO 4) = "HTTP" THEN PRINT "400 Bad Request": GOTO 50 40 PRINT "404 Not Found" 50 PRINT "./M6 @ Portugal a Programar." Link to post Share on other sites
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now