This repository has been archived by the owner on Nov 4, 2024. It is now read-only.
SRI check on WP, HSTS site #259
Comments
|
src=// is vulnerable to downgrade attacks. Please use src=https:// instead.
Ancient browsers used to warn when https content was embedded in a page;
they no longer do, so it’s no longer necessary.
Unfortunately it sounds like you do not control the component in question; I recommend contacting their support and asking them to correct the issue. They're welcome to comment here if they have questions or concerns.
…On Thu, Sep 16, 2021 at 07:05 churchthecat ***@***.***> wrote:
I get the following error:
Subresource Integrity (SRI) not implemented, and external scripts are
loaded over HTTP or use protocol-relative URLs via src="//..."
for site: operalogg.com
and -50 points.
Not sure how to fix since SRI is hard to do on WP. Everything is loaded
over HTTPS. remains that the following are relative URLs
Now I changed the script tag in the theme to (adding https:):
<script async src="
https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<script> (adsbygoogle = window.adsbygoogle || []).push({ google_ad_client:
"ca-pub-1764137165193100", enable_page_level_ads: true }); </script>
cleaned cache but no changes in head when checking in console.
The CDN is integrated in WP-rocket and no option to force absolute URL.
Tried better search and replace plugin, but that did not work.
Any Idea? I need to pass this score, everything is loaded securely so I
don't understand why relative URLs should be such an issue?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#259>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAWUDDIVZCTUDC7KOKKT5TUCH2RFANCNFSM5EE27TSQ>
.
|
|
Yea thing is site is blocked by insecure requests by cloudflare, CSP and HSTS. I have tried several ways. Found the Google adscript in Divi settings and changed to Https , however headers are still src:// for that. The CDN is also src:// tried search&replace by plugin. Just got 0 on dry run there. I have a script for changing by SQL query but dont want to mess anything up by using the wrong query. How are src:// vurneble to attack on an Https only site? Really want to understand this, first time I encountered this issue.
On 16 September 2021 15:30:19 UTC, floatingatoll ***@***.***> wrote:
src=// is vulnerable to downgrade attacks. Please use src=https:// instead.
Ancient browsers used to warn when https content was embedded in a page;
they no longer do, so it’s no longer necessary.
On Thu, Sep 16, 2021 at 07:05 churchthecat ***@***.***> wrote:
> I get the following error:
> Subresource Integrity (SRI) not implemented, and external scripts are
> loaded over HTTP or use protocol-relative URLs via src="//..."
> for site: operalogg.com
> and -50 points.
> Not sure how to fix since SRI is hard to do on WP. Everything is loaded
> over HTTPS. remains that the following are relative URLs
>
> Now I changed the script tag in the theme to (adding https:):
> <script async src="
> https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
> <script> (adsbygoogle = window.adsbygoogle || []).push({ google_ad_client:
> "ca-pub-1764137165193100", enable_page_level_ads: true }); </script>
>
> cleaned cache but no changes in head when checking in console.
>
> The CDN is integrated in WP-rocket and no option to force absolute URL.
> Tried better search and replace plugin, but that did not work.
> Any Idea? I need to pass this score, everything is loaded securely so I
> don't understand why relative URLs should be such an issue?
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <#259>, or
> unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAAWUDDIVZCTUDC7KOKKT5TUCH2RFANCNFSM5EE27TSQ>
> .
>
-- >
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub:
#259 (comment)
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
|
Thanks for the clarification in edit. It seems I got the error on another page as well. I assume that the possibility for an downgrade attack, with current settings in place are non-existent. Well at least until someone hacks google maybe :). So I will just leave this for now. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I get the following error:
Subresource Integrity (SRI) not implemented, and external scripts are loaded over HTTP or use protocol-relative URLs via src="//..."
for site: operalogg.com
and -50 points.
Not sure how to fix since SRI is hard to do on WP. Everything is loaded over HTTPS. remains that the following are relative URLs
Now I changed the script tag in the theme to (adding https:):
<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <script> (adsbygoogle = window.adsbygoogle || []).push({ google_ad_client: "ca-pub-xxxxxxxxxx", enable_page_level_ads: true }); </script>cleaned cache but no changes in head when checking in console.
The CDN is integrated in WP-rocket and no option to force absolute URL.
Tried better search and replace plugin, but that did not work.
Any Idea? I need to pass this score, everything is loaded securely so I don't understand why relative URLs should be such an issue?
The text was updated successfully, but these errors were encountered: