From b21aba505873cb261f1037d040db6eb81723a756 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 20 Apr 2021 23:17:30 +0200 Subject: [PATCH 01/26] [SECURITY] Block usage of FLoC by default --- .../sql/updates/mysql/3.9.27-2021-04-20.sql | 3 +++ .../com_config/model/form/application.xml | 13 +++++++++++++ administrator/language/en-GB/en-GB.com_admin.ini | 2 ++ administrator/language/en-GB/en-GB.com_config.ini | 2 ++ libraries/src/Application/CMSApplication.php | 5 +++++ 5 files changed, 25 insertions(+) create mode 100644 administrator/components/com_admin/sql/updates/mysql/3.9.27-2021-04-20.sql diff --git a/administrator/components/com_admin/sql/updates/mysql/3.9.27-2021-04-20.sql b/administrator/components/com_admin/sql/updates/mysql/3.9.27-2021-04-20.sql new file mode 100644 index 0000000000000..ca9b437d00d3c --- /dev/null +++ b/administrator/components/com_admin/sql/updates/mysql/3.9.27-2021-04-20.sql @@ -0,0 +1,3 @@ +INSERT INTO `#__postinstall_messages` (`extension_id`, `title_key`, `description_key`, `language_extension`, `language_client_id`, `type`, `version_introduced`, `enabled`) +VALUES +(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1); diff --git a/administrator/components/com_config/model/form/application.xml b/administrator/components/com_config/model/form/application.xml index 8d5b40ad54a17..6c6cc0a685da2 100644 --- a/administrator/components/com_config/model/form/application.xml +++ b/administrator/components/com_config/model/form/application.xml @@ -1208,6 +1208,19 @@ + + + + +
here. The Joomla! project believes this feature to be problematic and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their assessment and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration." +COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_DESCRIPTION="

Before 3.9.22 the default htaccess.txt file contained erroneous code meant for disabling directory listings. The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.

The old code:

<IfModule autoindex>\n  IndexIgnore *\n</IfModule>

The new code:

<IfModule mod_autoindex.c>\n  IndexIgnore *\n</IfModule>
" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_TITLE=".htaccess Update Concerning Directory Listings" COM_ADMIN_REGISTER_GLOBALS="Register Globals" diff --git a/administrator/language/en-GB/en-GB.com_config.ini b/administrator/language/en-GB/en-GB.com_config.ini index 846e2714dad56..0a2fef26b3759 100644 --- a/administrator/language/en-GB/en-GB.com_config.ini +++ b/administrator/language/en-GB/en-GB.com_config.ini @@ -93,6 +93,8 @@ COM_CONFIG_FIELD_FILTERS_CUSTOM_BLACK_LIST="Custom Blacklist" COM_CONFIG_FIELD_FILTERS_NO_HTML="No HTML" COM_CONFIG_FIELD_FILTERS_NO_FILTER="No Filtering" COM_CONFIG_FIELD_FILTERS_WHITE_LIST="Whitelist" +COM_CONFIG_FIELD_FLOC_BLOCKER_DESC="Send a header to not support the tracking through the FLoC method proposed by Google." +COM_CONFIG_FIELD_FLOC_BLOCKER_LABEL="Block Google FLoC" COM_CONFIG_FRONTEDITING_DESC="Select if you want inline editing for modules and menu items (support may depend on your template)." COM_CONFIG_FRONTEDITING_LABEL="Inline Editing" COM_CONFIG_FRONTEDITING_MENUSANDMODULES="Modules & Menus" diff --git a/libraries/src/Application/CMSApplication.php b/libraries/src/Application/CMSApplication.php index ea6b65c45909a..bc0b05048c1e6 100644 --- a/libraries/src/Application/CMSApplication.php +++ b/libraries/src/Application/CMSApplication.php @@ -199,6 +199,11 @@ public function enqueueMessage($msg, $type = 'message') */ public function execute() { + if ($this->get('block_floc', 1)) + { + $this->setHeader('Permissions-Policy', 'interest-cohort=()', true); + } + // Perform application routines. $this->doExecute(); From 6c3df61132a689082cb17e7a984809d3984d854b Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 20 Apr 2021 23:53:13 +0200 Subject: [PATCH 02/26] Update administrator/language/en-GB/en-GB.com_admin.ini Co-authored-by: Brian Teeman --- administrator/language/en-GB/en-GB.com_admin.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/en-GB.com_admin.ini b/administrator/language/en-GB/en-GB.com_admin.ini index 5a978b66596f4..e02509330ff53 100644 --- a/administrator/language/en-GB/en-GB.com_admin.ini +++ b/administrator/language/en-GB/en-GB.com_admin.ini @@ -140,7 +140,7 @@ COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_ACTION="Enable Behind Load Balanc COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_DESCRIPTION="

For Joomla sites hosted behind Load Balancers and Reverse Proxies a new Global Configuration setting has been introduced with Joomla 3.9.26

This setting, when enabled, will allow your Load Balancer/Reverse Proxy to provide the real IP address of your visitors. This IP will then be used in your Action Logs and used for tracking voting on articles (if these features are enabled).

Only sites behind a Load Balancer/Reverse Proxy will wish to enable this feature.

" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_TITLE="New Server Setting \"Behind Load Balancer\"" COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="Google is introducing a replacement for third party tracking cookies, a feature named Federated Learning of Cohorts. You can read more about it here. The Joomla! project believes this feature to be problematic and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their assessment and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration." -COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts" +COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts (FLoC)" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_DESCRIPTION="

Before 3.9.22 the default htaccess.txt file contained erroneous code meant for disabling directory listings. The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.

The old code:

<IfModule autoindex>\n  IndexIgnore *\n</IfModule>

The new code:

<IfModule mod_autoindex.c>\n  IndexIgnore *\n</IfModule>
" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_TITLE=".htaccess Update Concerning Directory Listings" COM_ADMIN_REGISTER_GLOBALS="Register Globals" From 9df34945e6613258fed3fab26d0ca3c21367d00a Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 20 Apr 2021 23:53:23 +0200 Subject: [PATCH 03/26] Update administrator/language/en-GB/en-GB.com_admin.ini Co-authored-by: Brian Teeman --- administrator/language/en-GB/en-GB.com_admin.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/en-GB.com_admin.ini b/administrator/language/en-GB/en-GB.com_admin.ini index e02509330ff53..5ab3ba30e3d48 100644 --- a/administrator/language/en-GB/en-GB.com_admin.ini +++ b/administrator/language/en-GB/en-GB.com_admin.ini @@ -139,7 +139,7 @@ COM_ADMIN_PLATFORM_VERSION="Joomla! Platform Version" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_ACTION="Enable Behind Load Balancer Setting" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_DESCRIPTION="

For Joomla sites hosted behind Load Balancers and Reverse Proxies a new Global Configuration setting has been introduced with Joomla 3.9.26

This setting, when enabled, will allow your Load Balancer/Reverse Proxy to provide the real IP address of your visitors. This IP will then be used in your Action Logs and used for tracking voting on articles (if these features are enabled).

Only sites behind a Load Balancer/Reverse Proxy will wish to enable this feature.

" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_TITLE="New Server Setting \"Behind Load Balancer\"" -COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="Google is introducing a replacement for third party tracking cookies, a feature named Federated Learning of Cohorts. You can read more about it here. The Joomla! project believes this feature to be problematic and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their assessment and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration." +COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="Google is introducing a replacement for third party tracking cookies, a feature named Federated Learning of Cohorts (FLoC). You can read more about it here. The Joomla! project believes this feature to be problematic and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their assessment and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration." COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts (FLoC)" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_DESCRIPTION="

Before 3.9.22 the default htaccess.txt file contained erroneous code meant for disabling directory listings. The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.

The old code:

<IfModule autoindex>\n  IndexIgnore *\n</IfModule>

The new code:

<IfModule mod_autoindex.c>\n  IndexIgnore *\n</IfModule>
" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_TITLE=".htaccess Update Concerning Directory Listings" From 8074979723b81ea12d3287da390e17710a1a7e92 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Wed, 21 Apr 2021 09:25:26 +0200 Subject: [PATCH 04/26] Adding FLoC header to htaccess.txt --- htaccess.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/htaccess.txt b/htaccess.txt index 25b89f65cccda..d4cd2480d13ab 100644 --- a/htaccess.txt +++ b/htaccess.txt @@ -24,6 +24,7 @@ ## Suppress mime type detection in browsers for unknown types Header always set X-Content-Type-Options "nosniff" +Header always set Permissions-Policy: interest-cohort=() ## Can be commented out if causes errors, see notes above. From 60f78c1876901f430aeef82ac6ac97a026e10783 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Wed, 21 Apr 2021 09:35:32 +0200 Subject: [PATCH 05/26] Adding update scripts for Postgres and MSSQL --- .../com_admin/sql/updates/postgresql/3.9.27-2021-04-20.sql | 3 +++ .../com_admin/sql/updates/sqlazure/3.9.27-2021-04-20.sql | 3 +++ 2 files changed, 6 insertions(+) create mode 100644 administrator/components/com_admin/sql/updates/postgresql/3.9.27-2021-04-20.sql create mode 100644 administrator/components/com_admin/sql/updates/sqlazure/3.9.27-2021-04-20.sql diff --git a/administrator/components/com_admin/sql/updates/postgresql/3.9.27-2021-04-20.sql b/administrator/components/com_admin/sql/updates/postgresql/3.9.27-2021-04-20.sql new file mode 100644 index 0000000000000..00b19369c23c1 --- /dev/null +++ b/administrator/components/com_admin/sql/updates/postgresql/3.9.27-2021-04-20.sql @@ -0,0 +1,3 @@ +INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description_key", "language_extension", "language_client_id", "type", "version_introduced", "enabled") +VALUES +(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1); diff --git a/administrator/components/com_admin/sql/updates/sqlazure/3.9.27-2021-04-20.sql b/administrator/components/com_admin/sql/updates/sqlazure/3.9.27-2021-04-20.sql new file mode 100644 index 0000000000000..e4121f310cd7c --- /dev/null +++ b/administrator/components/com_admin/sql/updates/sqlazure/3.9.27-2021-04-20.sql @@ -0,0 +1,3 @@ +INSERT INTO [#__postinstall_messages] ([extension_id], [title_key], [description_key], [language_extension], [language_client_id], [type], [version_introduced], [enabled]) +VALUES +(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1); From 21f71d0d1971d8dad5d1ff02da73575151d3d248 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Wed, 21 Apr 2021 12:46:29 +0200 Subject: [PATCH 06/26] Update htaccess.txt Co-authored-by: Richard Fath --- htaccess.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htaccess.txt b/htaccess.txt index d4cd2480d13ab..eddf271a5bfe2 100644 --- a/htaccess.txt +++ b/htaccess.txt @@ -24,7 +24,7 @@ ## Suppress mime type detection in browsers for unknown types Header always set X-Content-Type-Options "nosniff" -Header always set Permissions-Policy: interest-cohort=() +Header always set Permissions-Policy "interest-cohort=()" ## Can be commented out if causes errors, see notes above. From e0ce2dbb03eb09438ecd112f74fbd678d91fcd94 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Thu, 29 Apr 2021 21:25:00 +0200 Subject: [PATCH 07/26] Prevent duplicate Permissions-Policy header Fix postinstall messages upon installation Prevent overwriting existing Permissions-Policy header --- htaccess.txt | 8 +++++++- installation/sql/mysql/joomla.sql | 3 ++- installation/sql/postgresql/joomla.sql | 3 ++- installation/sql/sqlazure/joomla.sql | 3 ++- libraries/src/Application/CMSApplication.php | 2 +- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/htaccess.txt b/htaccess.txt index d4cd2480d13ab..b0282baa05fe1 100644 --- a/htaccess.txt +++ b/htaccess.txt @@ -24,7 +24,13 @@ ## Suppress mime type detection in browsers for unknown types Header always set X-Content-Type-Options "nosniff" -Header always set Permissions-Policy: interest-cohort=() +## +# Joomla considers the feature of Federated Learning of Cohorts (FLoC) to be against the +# interest of users and site owners. We encourage you to block this feature by +# uncomment the below directive. Read more about this in the Post-Installation message +# in the backend. +## +# Header always set Permissions-Policy: interest-cohort=() ## Can be commented out if causes errors, see notes above. diff --git a/installation/sql/mysql/joomla.sql b/installation/sql/mysql/joomla.sql index 841691426b1f5..275f3b9b0a862 100644 --- a/installation/sql/mysql/joomla.sql +++ b/installation/sql/mysql/joomla.sql @@ -1675,7 +1675,8 @@ INSERT INTO `#__postinstall_messages` (`extension_id`, `title_key`, `description (700, 'TPL_HATHOR_MESSAGE_POSTINSTALL_TITLE', 'TPL_HATHOR_MESSAGE_POSTINSTALL_BODY', 'TPL_HATHOR_MESSAGE_POSTINSTALL_ACTION', 'tpl_hathor', 1, 'action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_condition', '3.7.0', 1), (700, 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_TITLE', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_BODY', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_ACTION', 'plg_captcha_recaptcha', 1, 'action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_condition', '3.8.6', 1), (700, 'COM_ACTIONLOGS_POSTINSTALL_TITLE', 'COM_ACTIONLOGS_POSTINSTALL_BODY', '', 'com_actionlogs', 1, 'message', '', '', '', '', '3.9.0', 1), -(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1); +(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1), +(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1); -- -------------------------------------------------------- diff --git a/installation/sql/postgresql/joomla.sql b/installation/sql/postgresql/joomla.sql index e8535c5dcdf8e..938b3e08b387a 100644 --- a/installation/sql/postgresql/joomla.sql +++ b/installation/sql/postgresql/joomla.sql @@ -1657,7 +1657,8 @@ INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description (700, 'TPL_HATHOR_MESSAGE_POSTINSTALL_TITLE', 'TPL_HATHOR_MESSAGE_POSTINSTALL_BODY', 'TPL_HATHOR_MESSAGE_POSTINSTALL_ACTION', 'tpl_hathor', 1, 'action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_condition', '3.7.0', 1), (700, 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_TITLE', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_BODY', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_ACTION', 'plg_captcha_recaptcha', 1, 'action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_condition', '3.8.6', 1), (700, 'COM_ACTIONLOGS_POSTINSTALL_TITLE', 'COM_ACTIONLOGS_POSTINSTALL_BODY', '', 'com_actionlogs', 1, 'message', '', '', '', '', '3.9.0', 1), -(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1); +(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1), +(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1); -- -- Table structure for table `#__privacy_requests` diff --git a/installation/sql/sqlazure/joomla.sql b/installation/sql/sqlazure/joomla.sql index fb4c88e3e406f..105ecd6ff00f9 100644 --- a/installation/sql/sqlazure/joomla.sql +++ b/installation/sql/sqlazure/joomla.sql @@ -2372,7 +2372,8 @@ INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description (700, 'TPL_HATHOR_MESSAGE_POSTINSTALL_TITLE', 'TPL_HATHOR_MESSAGE_POSTINSTALL_BODY', 'TPL_HATHOR_MESSAGE_POSTINSTALL_ACTION', 'tpl_hathor', 1, 'action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_action', 'admin://templates/hathor/postinstall/hathormessage.php', 'hathormessage_postinstall_condition', '3.7.0', 1), (700, 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_TITLE', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_BODY', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_ACTION', 'plg_captcha_recaptcha', 1, 'action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_condition', '3.8.6', 1), (700, 'COM_ACTIONLOGS_POSTINSTALL_TITLE', 'COM_ACTIONLOGS_POSTINSTALL_BODY', '', 'com_actionlogs', 1, 'message', '', '', '', '', '3.9.0', 1), -(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1); +(700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1), +(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1); -- -- Table structure for table `#__privacy_requests` diff --git a/libraries/src/Application/CMSApplication.php b/libraries/src/Application/CMSApplication.php index bc0b05048c1e6..3efd061ec496f 100644 --- a/libraries/src/Application/CMSApplication.php +++ b/libraries/src/Application/CMSApplication.php @@ -201,7 +201,7 @@ public function execute() { if ($this->get('block_floc', 1)) { - $this->setHeader('Permissions-Policy', 'interest-cohort=()', true); + $this->setHeader('Permissions-Policy', 'interest-cohort=()'); } // Perform application routines. From 75acb9eabec40844b71e017eaa9c97cc3c4b0066 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Thu, 29 Apr 2021 21:39:10 +0200 Subject: [PATCH 08/26] Moving position of adding the FLoC header to after rendering the output --- libraries/src/Application/CMSApplication.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libraries/src/Application/CMSApplication.php b/libraries/src/Application/CMSApplication.php index 3efd061ec496f..dc0cd5584656e 100644 --- a/libraries/src/Application/CMSApplication.php +++ b/libraries/src/Application/CMSApplication.php @@ -199,11 +199,6 @@ public function enqueueMessage($msg, $type = 'message') */ public function execute() { - if ($this->get('block_floc', 1)) - { - $this->setHeader('Permissions-Policy', 'interest-cohort=()'); - } - // Perform application routines. $this->doExecute(); @@ -214,6 +209,11 @@ public function execute() $this->render(); } + if ($this->get('block_floc', 1)) + { + $this->setHeader('Permissions-Policy', 'interest-cohort=()'); + } + // If gzip compression is enabled in configuration and the server is compliant, compress the output. if ($this->get('gzip') && !ini_get('zlib.output_compression') && ini_get('output_handler') !== 'ob_gzhandler') { From 5d40b383973be5527c8bfff1b3b3313c8b17e76e Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Thu, 29 Apr 2021 22:36:04 +0200 Subject: [PATCH 09/26] Update htaccess.txt Co-authored-by: Phil E. Taylor --- htaccess.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htaccess.txt b/htaccess.txt index 3e8465ee326a3..b2a10f3dc004a 100644 --- a/htaccess.txt +++ b/htaccess.txt @@ -27,7 +27,7 @@ Header always set X-Content-Type-Options "nosniff" ## # Joomla considers the feature of Federated Learning of Cohorts (FLoC) to be against the # interest of users and site owners. We encourage you to block this feature by -# uncomment the below directive. Read more about this in the Post-Installation message +# uncommenting the below directive. Read more about this in the Post-Installation message # in the backend. ## # Header always set Permissions-Policy "interest-cohort=()" From b468b84418dca42ec5ab108b573de5f99e2f77c7 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 18 May 2021 16:14:37 +0200 Subject: [PATCH 10/26] Add floc header when permissions policy is already set --- libraries/src/Application/CMSApplication.php | 25 +++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/libraries/src/Application/CMSApplication.php b/libraries/src/Application/CMSApplication.php index dc0cd5584656e..00da6d8061084 100644 --- a/libraries/src/Application/CMSApplication.php +++ b/libraries/src/Application/CMSApplication.php @@ -211,7 +211,30 @@ public function execute() if ($this->get('block_floc', 1)) { - $this->setHeader('Permissions-Policy', 'interest-cohort=()'); + $headers = $this->getHeaders(); + + $notPresent = true; + + foreach($headers as $header) + { + if ($header['name'] === 'Permissions-Policy') + { + // Append interest-cohort if the Permissions-Policy is not set + if (strpos($header['value'], 'interest-cohort') === false) + { + $this->setHeader('Permissions-Policy', $header['value'] . ', interest-cohort=()', true); + } + + $notPresent = false; + + break; + } + } + + if ($notPresent) + { + $this->setHeader('Permissions-Policy', 'interest-cohort=()'); + } } // If gzip compression is enabled in configuration and the server is compliant, compress the output. From d4cc16b2932c79aa94b8866f709bd214301a6be2 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 18 May 2021 16:18:47 +0200 Subject: [PATCH 11/26] Extend description of floc block in .htaccess --- htaccess.txt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/htaccess.txt b/htaccess.txt index b2a10f3dc004a..ead287f6a3649 100644 --- a/htaccess.txt +++ b/htaccess.txt @@ -26,9 +26,10 @@ Header always set X-Content-Type-Options "nosniff" ## # Joomla considers the feature of Federated Learning of Cohorts (FLoC) to be against the -# interest of users and site owners. We encourage you to block this feature by -# uncommenting the below directive. Read more about this in the Post-Installation message -# in the backend. +# interest of users and site owners. Joomla blocks this feature by default through its +# code. To block it for all requrests, uncomment the below directive and then disable the +# code in the global configuration of Joomla. Read more about this in the Post-Installation +# message in the backend. ## # Header always set Permissions-Policy "interest-cohort=()" From fcf12bd612ebc1445edbdeeadb8426032192c1bd Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 18 May 2021 16:22:21 +0200 Subject: [PATCH 12/26] Extending explanation in postinstall message --- administrator/language/en-GB/en-GB.com_admin.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/en-GB.com_admin.ini b/administrator/language/en-GB/en-GB.com_admin.ini index 5ab3ba30e3d48..f9f4b8afe7723 100644 --- a/administrator/language/en-GB/en-GB.com_admin.ini +++ b/administrator/language/en-GB/en-GB.com_admin.ini @@ -139,7 +139,7 @@ COM_ADMIN_PLATFORM_VERSION="Joomla! Platform Version" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_ACTION="Enable Behind Load Balancer Setting" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_DESCRIPTION="

For Joomla sites hosted behind Load Balancers and Reverse Proxies a new Global Configuration setting has been introduced with Joomla 3.9.26

This setting, when enabled, will allow your Load Balancer/Reverse Proxy to provide the real IP address of your visitors. This IP will then be used in your Action Logs and used for tracking voting on articles (if these features are enabled).

Only sites behind a Load Balancer/Reverse Proxy will wish to enable this feature.

" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_TITLE="New Server Setting \"Behind Load Balancer\"" -COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="Google is introducing a replacement for third party tracking cookies, a feature named Federated Learning of Cohorts (FLoC). You can read more about it here. The Joomla! project believes this feature to be problematic and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their assessment and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration." +COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="Google is introducing a replacement for third party tracking cookies, a feature named Federated Learning of Cohorts (FLoC). You can read more about it here. The Joomla! project believes this feature to be problematic and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their assessment and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration. To additionally enable this feature for all other requests to your server, enable it in your .htaccess. In that case you have to disable the block in the Global Configuration." COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts (FLoC)" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_DESCRIPTION="

Before 3.9.22 the default htaccess.txt file contained erroneous code meant for disabling directory listings. The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.

The old code:

<IfModule autoindex>\n  IndexIgnore *\n</IfModule>

The new code:

<IfModule mod_autoindex.c>\n  IndexIgnore *\n</IfModule>
" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_TITLE=".htaccess Update Concerning Directory Listings" From a7ef7b992522da90b57a974a3de65a526043921c Mon Sep 17 00:00:00 2001 From: Harald Leithner Date: Tue, 18 May 2021 16:46:52 +0200 Subject: [PATCH 13/26] Update administrator/language/en-GB/en-GB.com_admin.ini Co-authored-by: Phil E. Taylor --- administrator/language/en-GB/en-GB.com_admin.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/en-GB.com_admin.ini b/administrator/language/en-GB/en-GB.com_admin.ini index f9f4b8afe7723..a2afd7c2a480b 100644 --- a/administrator/language/en-GB/en-GB.com_admin.ini +++ b/administrator/language/en-GB/en-GB.com_admin.ini @@ -139,7 +139,7 @@ COM_ADMIN_PLATFORM_VERSION="Joomla! Platform Version" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_ACTION="Enable Behind Load Balancer Setting" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_DESCRIPTION="

For Joomla sites hosted behind Load Balancers and Reverse Proxies a new Global Configuration setting has been introduced with Joomla 3.9.26

This setting, when enabled, will allow your Load Balancer/Reverse Proxy to provide the real IP address of your visitors. This IP will then be used in your Action Logs and used for tracking voting on articles (if these features are enabled).

Only sites behind a Load Balancer/Reverse Proxy will wish to enable this feature.

" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_TITLE="New Server Setting \"Behind Load Balancer\"" -COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="Google is introducing a replacement for third party tracking cookies, a feature named Federated Learning of Cohorts (FLoC). You can read more about it here. The Joomla! project believes this feature to be problematic and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their assessment and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration. To additionally enable this feature for all other requests to your server, enable it in your .htaccess. In that case you have to disable the block in the Global Configuration." +COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="Google is introducing a replacement for third party tracking cookies, a feature named Federated Learning of Cohorts (FLoC). You can read more about it here. The Joomla! project believes this feature to be problematic and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their assessment and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration. To additionally enable this feature for all other requests to your server, enable it in your .htaccess. In that case you have to disable this feature in the Global Configuration." COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts (FLoC)" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_DESCRIPTION="

Before 3.9.22 the default htaccess.txt file contained erroneous code meant for disabling directory listings. The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.

The old code:

<IfModule autoindex>\n  IndexIgnore *\n</IfModule>

The new code:

<IfModule mod_autoindex.c>\n  IndexIgnore *\n</IfModule>
" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_TITLE=".htaccess Update Concerning Directory Listings" From 96d90c20d820f5e27052d194a1d459ff8269842e Mon Sep 17 00:00:00 2001 From: Harald Leithner Date: Tue, 18 May 2021 16:47:01 +0200 Subject: [PATCH 14/26] Update htaccess.txt Co-authored-by: Phil E. Taylor --- htaccess.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htaccess.txt b/htaccess.txt index ead287f6a3649..ba9ce89697404 100644 --- a/htaccess.txt +++ b/htaccess.txt @@ -28,7 +28,7 @@ Header always set X-Content-Type-Options "nosniff" # Joomla considers the feature of Federated Learning of Cohorts (FLoC) to be against the # interest of users and site owners. Joomla blocks this feature by default through its # code. To block it for all requrests, uncomment the below directive and then disable the -# code in the global configuration of Joomla. Read more about this in the Post-Installation +# this feature in the global configuration of Joomla. Read more about this in the Post-Installation # message in the backend. ## # Header always set Permissions-Policy "interest-cohort=()" From 6abf5b5fa705c39086b3c07cc85427baf413ce2d Mon Sep 17 00:00:00 2001 From: Harald Leithner Date: Tue, 18 May 2021 16:47:12 +0200 Subject: [PATCH 15/26] Update libraries/src/Application/CMSApplication.php Co-authored-by: Richard Fath --- libraries/src/Application/CMSApplication.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/src/Application/CMSApplication.php b/libraries/src/Application/CMSApplication.php index 00da6d8061084..de2da59c52d6f 100644 --- a/libraries/src/Application/CMSApplication.php +++ b/libraries/src/Application/CMSApplication.php @@ -215,7 +215,7 @@ public function execute() $notPresent = true; - foreach($headers as $header) + foreach ($headers as $header) { if ($header['name'] === 'Permissions-Policy') { From a660cd03c0b6726ffa02f466671ef0ec7ebed83d Mon Sep 17 00:00:00 2001 From: Harald Leithner Date: Tue, 18 May 2021 16:47:57 +0200 Subject: [PATCH 16/26] Update htaccess.txt Co-authored-by: Phil E. Taylor --- htaccess.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htaccess.txt b/htaccess.txt index ba9ce89697404..911e75733827b 100644 --- a/htaccess.txt +++ b/htaccess.txt @@ -27,7 +27,7 @@ Header always set X-Content-Type-Options "nosniff" ## # Joomla considers the feature of Federated Learning of Cohorts (FLoC) to be against the # interest of users and site owners. Joomla blocks this feature by default through its -# code. To block it for all requrests, uncomment the below directive and then disable the +# code. To block it for all requests, uncomment the below directive and then disable the # this feature in the global configuration of Joomla. Read more about this in the Post-Installation # message in the backend. ## From 69d17b5bc4e71a08ac9968a71fe07747899f639c Mon Sep 17 00:00:00 2001 From: Harald Leithner Date: Tue, 18 May 2021 16:48:04 +0200 Subject: [PATCH 17/26] Update htaccess.txt Co-authored-by: Phil E. Taylor --- htaccess.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htaccess.txt b/htaccess.txt index 911e75733827b..1e4186d0b2bd7 100644 --- a/htaccess.txt +++ b/htaccess.txt @@ -25,7 +25,7 @@ Header always set X-Content-Type-Options "nosniff" ## -# Joomla considers the feature of Federated Learning of Cohorts (FLoC) to be against the +# The Joomla! Project considers the feature of Federated Learning of Cohorts (FLoC) to be against the # interest of users and site owners. Joomla blocks this feature by default through its # code. To block it for all requests, uncomment the below directive and then disable the # this feature in the global configuration of Joomla. Read more about this in the Post-Installation From 3e8b5a87b50e1f146f4c5a8ba4a5a3d36506f327 Mon Sep 17 00:00:00 2001 From: Harald Leithner Date: Tue, 18 May 2021 16:50:27 +0200 Subject: [PATCH 18/26] Update administrator/language/en-GB/en-GB.com_config.ini Co-authored-by: Phil E. Taylor --- administrator/language/en-GB/en-GB.com_config.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/en-GB.com_config.ini b/administrator/language/en-GB/en-GB.com_config.ini index 0a2fef26b3759..9f47b0d34cbcc 100644 --- a/administrator/language/en-GB/en-GB.com_config.ini +++ b/administrator/language/en-GB/en-GB.com_config.ini @@ -94,7 +94,7 @@ COM_CONFIG_FIELD_FILTERS_NO_HTML="No HTML" COM_CONFIG_FIELD_FILTERS_NO_FILTER="No Filtering" COM_CONFIG_FIELD_FILTERS_WHITE_LIST="Whitelist" COM_CONFIG_FIELD_FLOC_BLOCKER_DESC="Send a header to not support the tracking through the FLoC method proposed by Google." -COM_CONFIG_FIELD_FLOC_BLOCKER_LABEL="Block Google FLoC" +COM_CONFIG_FIELD_FLOC_BLOCKER_LABEL="Block FLoC" COM_CONFIG_FRONTEDITING_DESC="Select if you want inline editing for modules and menu items (support may depend on your template)." COM_CONFIG_FRONTEDITING_LABEL="Inline Editing" COM_CONFIG_FRONTEDITING_MENUSANDMODULES="Modules & Menus" From 1671bf53ae8b52c960ebde494cf0cf81cf9e6bc9 Mon Sep 17 00:00:00 2001 From: Harald Leithner Date: Tue, 18 May 2021 16:50:37 +0200 Subject: [PATCH 19/26] Update libraries/src/Application/CMSApplication.php --- libraries/src/Application/CMSApplication.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/src/Application/CMSApplication.php b/libraries/src/Application/CMSApplication.php index de2da59c52d6f..521a7a438efad 100644 --- a/libraries/src/Application/CMSApplication.php +++ b/libraries/src/Application/CMSApplication.php @@ -217,7 +217,7 @@ public function execute() foreach ($headers as $header) { - if ($header['name'] === 'Permissions-Policy') + if (strtolower($header['name']) === 'permissions-policy') { // Append interest-cohort if the Permissions-Policy is not set if (strpos($header['value'], 'interest-cohort') === false) From 187698f616909827ec90ed20a1b99e0c5b940a79 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 18 May 2021 17:09:10 +0200 Subject: [PATCH 20/26] Clean up --- administrator/language/en-GB/en-GB.com_config.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/en-GB.com_config.ini b/administrator/language/en-GB/en-GB.com_config.ini index 9f47b0d34cbcc..372e2ffeeb81c 100644 --- a/administrator/language/en-GB/en-GB.com_config.ini +++ b/administrator/language/en-GB/en-GB.com_config.ini @@ -93,7 +93,7 @@ COM_CONFIG_FIELD_FILTERS_CUSTOM_BLACK_LIST="Custom Blacklist" COM_CONFIG_FIELD_FILTERS_NO_HTML="No HTML" COM_CONFIG_FIELD_FILTERS_NO_FILTER="No Filtering" COM_CONFIG_FIELD_FILTERS_WHITE_LIST="Whitelist" -COM_CONFIG_FIELD_FLOC_BLOCKER_DESC="Send a header to not support the tracking through the FLoC method proposed by Google." +COM_CONFIG_FIELD_FLOC_BLOCKER_DESC="Send a header to not support the tracking through the FLoC method." COM_CONFIG_FIELD_FLOC_BLOCKER_LABEL="Block FLoC" COM_CONFIG_FRONTEDITING_DESC="Select if you want inline editing for modules and menu items (support may depend on your template)." COM_CONFIG_FRONTEDITING_LABEL="Inline Editing" From 6bb53c78510da0227d31c693fab346edd5c42277 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 18 May 2021 17:11:44 +0200 Subject: [PATCH 21/26] Clean up --- htaccess.txt | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/htaccess.txt b/htaccess.txt index 1e4186d0b2bd7..ded84b8543408 100644 --- a/htaccess.txt +++ b/htaccess.txt @@ -25,11 +25,12 @@ Header always set X-Content-Type-Options "nosniff" ## -# The Joomla! Project considers the feature of Federated Learning of Cohorts (FLoC) to be against the -# interest of users and site owners. Joomla blocks this feature by default through its -# code. To block it for all requests, uncomment the below directive and then disable the -# this feature in the global configuration of Joomla. Read more about this in the Post-Installation -# message in the backend. +# The Joomla! Project considers the feature of Federated Learning of Cohorts (FLoC) +# to be a security issue and to be against the interest of users and site owners. +# Joomla blocks this feature by default through its code. To block it for all requests, +# uncomment the below directive and then disable the this feature in the global +# configuration of Joomla. Read more about this in the Post-Installation message +# in the backend. ## # Header always set Permissions-Policy "interest-cohort=()" From 22926767724c2a19508567a0eb91a6c440b89984 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 18 May 2021 17:17:20 +0200 Subject: [PATCH 22/26] Clean up --- administrator/language/en-GB/en-GB.com_admin.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/en-GB.com_admin.ini b/administrator/language/en-GB/en-GB.com_admin.ini index a2afd7c2a480b..90860374b5918 100644 --- a/administrator/language/en-GB/en-GB.com_admin.ini +++ b/administrator/language/en-GB/en-GB.com_admin.ini @@ -139,7 +139,7 @@ COM_ADMIN_PLATFORM_VERSION="Joomla! Platform Version" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_ACTION="Enable Behind Load Balancer Setting" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_DESCRIPTION="

For Joomla sites hosted behind Load Balancers and Reverse Proxies a new Global Configuration setting has been introduced with Joomla 3.9.26

This setting, when enabled, will allow your Load Balancer/Reverse Proxy to provide the real IP address of your visitors. This IP will then be used in your Action Logs and used for tracking voting on articles (if these features are enabled).

Only sites behind a Load Balancer/Reverse Proxy will wish to enable this feature.

" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_TITLE="New Server Setting \"Behind Load Balancer\"" -COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="Google is introducing a replacement for third party tracking cookies, a feature named Federated Learning of Cohorts (FLoC). You can read more about it here. The Joomla! project believes this feature to be problematic and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their assessment and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration. To additionally enable this feature for all other requests to your server, enable it in your .htaccess. In that case you have to disable this feature in the Global Configuration." +COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="A new feature is currently being rolled out to browsers to replace third party tracking cookies. This features is named Federated Learning of Cohorts (FLoC) and you can read more about it here. The Joomla! project believes this feature to be a security issue and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their assessment and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration. To additionally enable this feature for all other requests to your server, enable it in your .htaccess. In that case you have to disable this feature in the Global Configuration." COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts (FLoC)" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_DESCRIPTION="

Before 3.9.22 the default htaccess.txt file contained erroneous code meant for disabling directory listings. The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.

The old code:

<IfModule autoindex>\n  IndexIgnore *\n</IfModule>

The new code:

<IfModule mod_autoindex.c>\n  IndexIgnore *\n</IfModule>
" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_TITLE=".htaccess Update Concerning Directory Listings" From f9cfae4b91fe1e75c9c3ab3358c524a7819d92cd Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 18 May 2021 18:12:10 +0200 Subject: [PATCH 23/26] Update administrator/language/en-GB/en-GB.com_admin.ini Co-authored-by: Harald Leithner --- administrator/language/en-GB/en-GB.com_admin.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/en-GB.com_admin.ini b/administrator/language/en-GB/en-GB.com_admin.ini index 90860374b5918..634c2b2f2935a 100644 --- a/administrator/language/en-GB/en-GB.com_admin.ini +++ b/administrator/language/en-GB/en-GB.com_admin.ini @@ -139,7 +139,7 @@ COM_ADMIN_PLATFORM_VERSION="Joomla! Platform Version" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_ACTION="Enable Behind Load Balancer Setting" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_DESCRIPTION="

For Joomla sites hosted behind Load Balancers and Reverse Proxies a new Global Configuration setting has been introduced with Joomla 3.9.26

This setting, when enabled, will allow your Load Balancer/Reverse Proxy to provide the real IP address of your visitors. This IP will then be used in your Action Logs and used for tracking voting on articles (if these features are enabled).

Only sites behind a Load Balancer/Reverse Proxy will wish to enable this feature.

" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_TITLE="New Server Setting \"Behind Load Balancer\"" -COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="A new feature is currently being rolled out to browsers to replace third party tracking cookies. This features is named Federated Learning of Cohorts (FLoC) and you can read more about it here. The Joomla! project believes this feature to be a security issue and against the interests of our users, both the owners of Joomla!-powered sites, as well as their visitors. We do follow the EFF in their assessment and have added a feature to block this technology on all Joomla sites. This feature has been enabled by default. If you disagree with this decision and want to allow FLoC for your website, you can disable it from the Global Configuration. To additionally enable this feature for all other requests to your server, enable it in your .htaccess. In that case you have to disable this feature in the Global Configuration." +COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="A new technology is currently being rolled out to browsers to replace third party tracking cookies. This technology is named Federated Learning of Cohorts (FLoC) and you can read more about it here and here. Starting with Joomla! 3.9.27 your website blocks this technology, you can re-allow it from the Global Configuration. Additionally to disable this technology for all requests to your server, you have to update your .htaccess." COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts (FLoC)" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_DESCRIPTION="

Before 3.9.22 the default htaccess.txt file contained erroneous code meant for disabling directory listings. The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.

The old code:

<IfModule autoindex>\n  IndexIgnore *\n</IfModule>

The new code:

<IfModule mod_autoindex.c>\n  IndexIgnore *\n</IfModule>
" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_TITLE=".htaccess Update Concerning Directory Listings" From 5b7f70df47a3bd4ebce84036aed4cbede04307ea Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 18 May 2021 18:12:38 +0200 Subject: [PATCH 24/26] Update htaccess.txt Co-authored-by: Harald Leithner --- htaccess.txt | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/htaccess.txt b/htaccess.txt index ded84b8543408..8c1963cbc020f 100644 --- a/htaccess.txt +++ b/htaccess.txt @@ -25,12 +25,10 @@ Header always set X-Content-Type-Options "nosniff" ## -# The Joomla! Project considers the feature of Federated Learning of Cohorts (FLoC) -# to be a security issue and to be against the interest of users and site owners. -# Joomla blocks this feature by default through its code. To block it for all requests, -# uncomment the below directive and then disable the this feature in the global -# configuration of Joomla. Read more about this in the Post-Installation message -# in the backend. +# Disable Federated Learning of Cohorts (FLoC) +# If you uncomment the below directive you have to allow this technology in the +# Global Configuration of Joomla. Read more about this in the Post-Installation +# message in the backend. ## # Header always set Permissions-Policy "interest-cohort=()" From c3c2ec3726afead704bf06e8c3c6b5ec3ddaa0c0 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 18 May 2021 19:02:08 +0200 Subject: [PATCH 25/26] Update administrator/language/en-GB/en-GB.com_admin.ini Co-authored-by: Quy --- administrator/language/en-GB/en-GB.com_admin.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/en-GB.com_admin.ini b/administrator/language/en-GB/en-GB.com_admin.ini index 634c2b2f2935a..9e70671855469 100644 --- a/administrator/language/en-GB/en-GB.com_admin.ini +++ b/administrator/language/en-GB/en-GB.com_admin.ini @@ -139,7 +139,7 @@ COM_ADMIN_PLATFORM_VERSION="Joomla! Platform Version" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_ACTION="Enable Behind Load Balancer Setting" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_DESCRIPTION="

For Joomla sites hosted behind Load Balancers and Reverse Proxies a new Global Configuration setting has been introduced with Joomla 3.9.26

This setting, when enabled, will allow your Load Balancer/Reverse Proxy to provide the real IP address of your visitors. This IP will then be used in your Action Logs and used for tracking voting on articles (if these features are enabled).

Only sites behind a Load Balancer/Reverse Proxy will wish to enable this feature.

" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_TITLE="New Server Setting \"Behind Load Balancer\"" -COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="A new technology is currently being rolled out to browsers to replace third party tracking cookies. This technology is named Federated Learning of Cohorts (FLoC) and you can read more about it here and here. Starting with Joomla! 3.9.27 your website blocks this technology, you can re-allow it from the Global Configuration. Additionally to disable this technology for all requests to your server, you have to update your .htaccess." +COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="A new technology is currently being rolled out to browsers to replace third party tracking cookies. This technology is named Federated Learning of Cohorts (FLoC) and you can read more about it here and here. Starting with Joomla! 3.9.27 your website blocks this technology, you can re-allow it from the Global Configuration. Additionally to disable this technology for all requests to your server, you have to update your .htaccess." COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts (FLoC)" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_DESCRIPTION="

Before 3.9.22 the default htaccess.txt file contained erroneous code meant for disabling directory listings. The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.

The old code:

<IfModule autoindex>\n  IndexIgnore *\n</IfModule>

The new code:

<IfModule mod_autoindex.c>\n  IndexIgnore *\n</IfModule>
" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_TITLE=".htaccess Update Concerning Directory Listings" From 1c30880ae5ae446412e71e42b3569d6e80adfae9 Mon Sep 17 00:00:00 2001 From: Hannes Papenberg Date: Tue, 18 May 2021 19:13:00 +0200 Subject: [PATCH 26/26] Clean up --- .../com_admin/sql/updates/mysql/3.9.27-2021-04-20.sql | 2 +- .../com_admin/sql/updates/postgresql/3.9.27-2021-04-20.sql | 2 +- .../com_admin/sql/updates/sqlazure/3.9.27-2021-04-20.sql | 2 +- administrator/language/en-GB/en-GB.com_admin.ini | 4 ++-- installation/sql/mysql/joomla.sql | 2 +- installation/sql/postgresql/joomla.sql | 2 +- installation/sql/sqlazure/joomla.sql | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/administrator/components/com_admin/sql/updates/mysql/3.9.27-2021-04-20.sql b/administrator/components/com_admin/sql/updates/mysql/3.9.27-2021-04-20.sql index ca9b437d00d3c..42748f289e559 100644 --- a/administrator/components/com_admin/sql/updates/mysql/3.9.27-2021-04-20.sql +++ b/administrator/components/com_admin/sql/updates/mysql/3.9.27-2021-04-20.sql @@ -1,3 +1,3 @@ INSERT INTO `#__postinstall_messages` (`extension_id`, `title_key`, `description_key`, `language_extension`, `language_client_id`, `type`, `version_introduced`, `enabled`) VALUES -(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1); +(700, 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1); diff --git a/administrator/components/com_admin/sql/updates/postgresql/3.9.27-2021-04-20.sql b/administrator/components/com_admin/sql/updates/postgresql/3.9.27-2021-04-20.sql index 00b19369c23c1..c34c3ad0be557 100644 --- a/administrator/components/com_admin/sql/updates/postgresql/3.9.27-2021-04-20.sql +++ b/administrator/components/com_admin/sql/updates/postgresql/3.9.27-2021-04-20.sql @@ -1,3 +1,3 @@ INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description_key", "language_extension", "language_client_id", "type", "version_introduced", "enabled") VALUES -(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1); +(700, 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1); diff --git a/administrator/components/com_admin/sql/updates/sqlazure/3.9.27-2021-04-20.sql b/administrator/components/com_admin/sql/updates/sqlazure/3.9.27-2021-04-20.sql index e4121f310cd7c..8b9b981e1f75a 100644 --- a/administrator/components/com_admin/sql/updates/sqlazure/3.9.27-2021-04-20.sql +++ b/administrator/components/com_admin/sql/updates/sqlazure/3.9.27-2021-04-20.sql @@ -1,3 +1,3 @@ INSERT INTO [#__postinstall_messages] ([extension_id], [title_key], [description_key], [language_extension], [language_client_id], [type], [version_introduced], [enabled]) VALUES -(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1); +(700, 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_DESCRIPTION', 'com_admin', 1, 'message', '3.9.27', 1); diff --git a/administrator/language/en-GB/en-GB.com_admin.ini b/administrator/language/en-GB/en-GB.com_admin.ini index 9e70671855469..491c0f586adf2 100644 --- a/administrator/language/en-GB/en-GB.com_admin.ini +++ b/administrator/language/en-GB/en-GB.com_admin.ini @@ -139,8 +139,8 @@ COM_ADMIN_PLATFORM_VERSION="Joomla! Platform Version" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_ACTION="Enable Behind Load Balancer Setting" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_DESCRIPTION="

For Joomla sites hosted behind Load Balancers and Reverse Proxies a new Global Configuration setting has been introduced with Joomla 3.9.26

This setting, when enabled, will allow your Load Balancer/Reverse Proxy to provide the real IP address of your visitors. This IP will then be used in your Action Logs and used for tracking voting on articles (if these features are enabled).

Only sites behind a Load Balancer/Reverse Proxy will wish to enable this feature.

" COM_ADMIN_POSTINSTALL_MSG_BEHIND_LOAD_BALANCER_TITLE="New Server Setting \"Behind Load Balancer\"" -COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION="A new technology is currently being rolled out to browsers to replace third party tracking cookies. This technology is named Federated Learning of Cohorts (FLoC) and you can read more about it here and here. Starting with Joomla! 3.9.27 your website blocks this technology, you can re-allow it from the Global Configuration. Additionally to disable this technology for all requests to your server, you have to update your .htaccess." -COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts (FLoC)" +COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_DESCRIPTION="A new technology is currently being rolled out to browsers to replace third party tracking cookies. This technology is named Federated Learning of Cohorts (FLoC) and you can read more about it here and here. Starting with Joomla! 3.9.27 your website blocks this technology, you can re-allow it from the Global Configuration. Additionally to disable this technology for all requests to your server, you have to update your .htaccess." +COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_TITLE="Block Federated Learning of Cohorts (FLoC)" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_DESCRIPTION="

Before 3.9.22 the default htaccess.txt file contained erroneous code meant for disabling directory listings. The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.

The old code:

<IfModule autoindex>\n  IndexIgnore *\n</IfModule>

The new code:

<IfModule mod_autoindex.c>\n  IndexIgnore *\n</IfModule>
" COM_ADMIN_POSTINSTALL_MSG_HTACCESS_AUTOINDEX_TITLE=".htaccess Update Concerning Directory Listings" COM_ADMIN_REGISTER_GLOBALS="Register Globals" diff --git a/installation/sql/mysql/joomla.sql b/installation/sql/mysql/joomla.sql index 275f3b9b0a862..c49be68099244 100644 --- a/installation/sql/mysql/joomla.sql +++ b/installation/sql/mysql/joomla.sql @@ -1676,7 +1676,7 @@ INSERT INTO `#__postinstall_messages` (`extension_id`, `title_key`, `description (700, 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_TITLE', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_BODY', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_ACTION', 'plg_captcha_recaptcha', 1, 'action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_condition', '3.8.6', 1), (700, 'COM_ACTIONLOGS_POSTINSTALL_TITLE', 'COM_ACTIONLOGS_POSTINSTALL_BODY', '', 'com_actionlogs', 1, 'message', '', '', '', '', '3.9.0', 1), (700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1), -(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1); +(700, 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1); -- -------------------------------------------------------- diff --git a/installation/sql/postgresql/joomla.sql b/installation/sql/postgresql/joomla.sql index 938b3e08b387a..1ea2ae2d3d724 100644 --- a/installation/sql/postgresql/joomla.sql +++ b/installation/sql/postgresql/joomla.sql @@ -1658,7 +1658,7 @@ INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description (700, 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_TITLE', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_BODY', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_ACTION', 'plg_captcha_recaptcha', 1, 'action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_condition', '3.8.6', 1), (700, 'COM_ACTIONLOGS_POSTINSTALL_TITLE', 'COM_ACTIONLOGS_POSTINSTALL_BODY', '', 'com_actionlogs', 1, 'message', '', '', '', '', '3.9.0', 1), (700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1), -(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1); +(700, 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1); -- -- Table structure for table `#__privacy_requests` diff --git a/installation/sql/sqlazure/joomla.sql b/installation/sql/sqlazure/joomla.sql index 105ecd6ff00f9..e984c8c6d9fb3 100644 --- a/installation/sql/sqlazure/joomla.sql +++ b/installation/sql/sqlazure/joomla.sql @@ -2373,7 +2373,7 @@ INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description (700, 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_TITLE', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_BODY', 'PLG_PLG_RECAPTCHA_VERSION_1_POSTINSTALL_ACTION', 'plg_captcha_recaptcha', 1, 'action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_action', 'site://plugins/captcha/recaptcha/postinstall/actions.php', 'recaptcha_postinstall_condition', '3.8.6', 1), (700, 'COM_ACTIONLOGS_POSTINSTALL_TITLE', 'COM_ACTIONLOGS_POSTINSTALL_BODY', '', 'com_actionlogs', 1, 'message', '', '', '', '', '3.9.0', 1), (700, 'COM_PRIVACY_POSTINSTALL_TITLE', 'COM_PRIVACY_POSTINSTALL_BODY', '', 'com_privacy', 1, 'message', '', '', '', '', '3.9.0', 1), -(700, 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_GOOGLE_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1); +(700, 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_TITLE', 'COM_ADMIN_POSTINSTALL_MSG_FLOC_BLOCKER_DESCRIPTION', '', 'com_admin', 1, 'message', '', '', '', '', '3.9.27', 1); -- -- Table structure for table `#__privacy_requests`