toulibre LiteCart Fan From France Member since Jan 2021 toulibre May 10 2025 05:22 PM in fact I have this warning message. Warning: Modification "IBBoard Secure" failed during operation #5 in admin/graphs.widget/graphs.inc.php: Search not found in ~/includes/library/lib_vmod.inc.php (Line 215)Warning: Modification "IBBoard Secure" failed during operation #6 in admin/graphs.widget/graphs.inc.php: Search not found in ~/includes/library/lib_vmod.inc.php (Line 215) but when I reload page it disappear.
ibboard Developer From United Kingdom Member since Jan 2025 ibboard May 10 2025 05:52 PM I've worked out the "undefined array key" problem. It's the "brute-force everything" module. It's still using my older "assume mod_cspnonce" approach instead of the newer document::$nonce_attribute approach. I've fixed that now. I've also renamed the brute-force mod, because it seems to be the only way to force it to run after the main module and not cause warnings. You'll need to delete the old csp_compatibility.xml file. I've also standardised all of the <script> and <style> replacements so that it's one entry that applies to multiple files, rather than being repeated throughout. I haven't found any occurrences that I deleted but didn't put in the new list. And I've fixed up some more style attributes that I missed. With the report-to warning, it looks like Firefox doesn't support that format yet. But that's why I also supply report-uri which is the old version. So you can safely ignore that warning. The other warning is hopefully also an ordering problem that will be fixed by the renamed module. ibboard_secure.zip
toulibre LiteCart Fan From France Member since Jan 2021 toulibre May 10 2025 06:25 PM That funny Mozilla talks about it and doesn't support yet, I'll install Chromium if necessary but don't like it much. Your new version has no error now and both sides are working well. What's next ?
toulibre LiteCart Fan From France Member since Jan 2021 toulibre May 10 2025 06:57 PM I'm not (nearly) forgetting to congratulate you and your very nice work, wish this is the beginning of something great.
ibboard Developer From United Kingdom Member since Jan 2025 ibboard May 10 2025 07:01 PM Thanks. Hopefully it's not necessary in LiteCart 3.x, but I wanted to do it because CSP is a thing and I think that a shop should be suitably secured! It's not necessary to install Chromium. I use Firefox. The old report-uri still works, it's just that it's an old (possibly draft) standard that browsers implemented and then moved away from. I've found a few features that Firefox doesn't support, unfortunately. But Mozilla Developer Network is about the standards rather than what Firefox currently supports, which is why it's still documented there. Next steps: Make sure there's nothing that I missed and that everything works with CSP enforcing (not just reporting) Check it with PayPal and other payment modules Add a way for people to extend the CSP rules to add CDNs and other domains (won't work for scripts because we've got strict-dynamic to make JQuery play nicely, but may be necessary for images etc) One or two more pull requests that tidy up some bits of LiteCart, which would allow me to not ship a replacement app.js (plus some minor bugs) Release in the Add-ons store
toulibre LiteCart Fan From France Member since Jan 2021 toulibre May 11 2025 12:06 PM For now, add an alias, add an operation, add a parameter and add a patch don't work, and I don't see where is report-uri option, each click bring me back to the top of the page and nothing happen. My firefox is running "Trouble shoot mode on" so with no content blocking.
ibboard Developer From United Kingdom Member since Jan 2025 ibboard May 11 2025 12:22 PM add an alias, add an operation, add a parameter and add a patch don't work, I'll look into that. I probably stripped some inline JavaScript but the replacement <script> block isn't right. I don't see where is report-uri option, In the VMods section, to the right of the "OK" Health Check column, there should be a "Configure" button (it's off the screen for me in my default browser width). In there there's a setting called "Content Security Policy Report URL".
ibboard Developer From United Kingdom Member since Jan 2025 ibboard May 11 2025 02:47 PM v0.93 with the VMod editing fixed. I'd managed to entirely miss that section! The JavaScript wasn't working because it didn't get a nonce, so it didn't get collected by LiteCart and moved to the end, so it was running before JQuery was initialised. ibboard_secure.zip
toulibre LiteCart Fan From France Member since Jan 2021 toulibre May 11 2025 06:39 PM Didn't get mail notification for your last reply ... anyway now I'm able to add like expected. I'll check more if there are other things but that seems pretty well !
toulibre LiteCart Fan From France Member since Jan 2021 toulibre May 12 2025 11:00 AM You may release in the Add-ons store to get in touch with more users, if there are other things to adjust that I can't technically see. Unless you are still working on it in the background.
ibboard Developer From United Kingdom Member since Jan 2025 ibboard May 12 2025 08:50 PM I still want to check a few more things and get some last bits wrapped up before it goes fully public. And I want to run a small CSP reporting server so that I don't have to watch the Firefox console while I browse (because Report-URI.com is no longer free for small accounts) PayPal seemed to work when I finally bought the addon, installed it and used it. But I'm doing CSP headers from the server, so it looks like I still had the connect-src policy setting in there for PayPal. I'll need to test without it. Because it's not use releasing it if it breaks one of the more common payment methods 😁
