CSP, PhPBB, & MChat

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
Post Reply
User avatar
bubbathegimp
Registered User
Posts: 132
Joined: Tue Sep 25, 2018 8:02 pm
Location: Off Plumb
Name: Bubba
Contact:

CSP, PhPBB, & MChat

Post by bubbathegimp »

Anybody try out the new Security Header Policy protection on their boards?
https://en.wikipedia.org/wiki/Content_Security_Policy
I was using this in the Htaccess file
Header set Content-Security-Policy "default-src 'self' script-src 'self';"

Seems to do funny things...
MChat just sat there spinning it's wheel, and displayed a lot of posts compared to what it was displaying before, and wouldnt let you add any posts.
The Board itself was displayed in a finer print detail..
strange JuJu

User avatar
John connor
Registered User
Posts: 2492
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: CSP, PhPBB, & MChat

Post by John connor »

A CSP will give you all kinds of issues in a CMS like phpBB or WordPress, etc unless you have a lot of static content and/or you can whitlelist each and every single resource.

I don't use a CSP due to this because it's a major PITA with how forums or WordPress works.

This is all you need at the top of your htaccess file:

Code: Select all

#Extra Security Headers
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	Header always append X-Frame-Options SAMEORIGIN
	Header set X-Content-Type-Options nosniff
        Header set X-Frame-Options DENY
        Header set Referrer-Policy: strict-origin
</IfModule>
Once that is set go here and you can see it in action: https://observatory.mozilla.org/

Or you can pull up the web console in your browser and see the headers in there on page load.

I'm not too sure what that code does you have there, but it looks like it ties everything to your website and not allowing external code or something. So JS, AJAX, Google fonts, etc may fail unless you whitelist those resources. Again, due to the nature of a CMS like phpBB, WordPress or something else, it's not worth messing with a CSP unless you have a lot of static content and whitelist link after link, scripts, etc.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 22325
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: CSP, PhPBB, & MChat

Post by Mick »

phpBB is not a CMS.
"The more connected we get the more alone we become" - Kyle Broflovski

Please read: “Am I In The Right Place?” before posting.

User avatar
John connor
Registered User
Posts: 2492
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: CSP, PhPBB, & MChat

Post by John connor »

Then what is phpBB called? Just a forum software? I always thought a content management system involved searching for content, posting content, etc and phpBB would fall in that category.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 22325
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: CSP, PhPBB, & MChat

Post by Mick »

As the logo states “Forum Software”, in old parlance it’s bulletin board software.
"The more connected we get the more alone we become" - Kyle Broflovski

Please read: “Am I In The Right Place?” before posting.

User avatar
AmigoJack
Registered User
Posts: 5702
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: CSP, PhPBB, & MChat

Post by AmigoJack »

bubbathegimp wrote:
Sat Mar 07, 2020 7:28 am
Anybody try out the new Security Header Policy protection on their boards?
Yes, more than 2 years ago - see Re: Compatibility with CSP (Content Security Policy)? - why do you consider it "new"?
bubbathegimp wrote:
Sat Mar 07, 2020 7:28 am
Seems to do funny things
Then keep your hands off if you don't understand that restricting resource origins can result in missing JavaScript routines. Or what was your actual question?
John connor wrote:
Mon Mar 09, 2020 7:41 am
I always thought a content management system involved searching for content, posting content, etc
Then you always thought wrong: a https://en.wikipedia.org/wiki/Content_management_system manages and indexes any content, while an https://en.wikipedia.org/wiki/Internet_forum focuses on text messages. The former also lets you search thru attachments (i.e. PDF, DOCX, JPEG, ZIP...) and comes up with revisions, while phpBB never found attachment content thru the board search.

Post Reply

Return to “General Discussion”