Available in the `dev` branch.
More information is needed for this to possibly be a Drupal module issue, such as the site's URL with the issue, details or screenshots, etc.
The patch is not a solution for whatever the original issue was β it's arbitrary and breaks addtoany.js.
@bramdriesen Feel free to start a new support issue with a link to a page that has the issue you're experiencing.
AddToAny is a widely used module and this isn't a prominent issue, so related issues are almost certainly an edge case. Site 'performance' & 'optimization' modules are usually suspect in such cases.
Thanks @joco_sp. Heads up: Apparently AVG/Avast is again experiencing another false positive since they fixed this 18 days ago. π€¦ββοΈ
I reported the false positive again and am escalating with AVG.
Anyone else seeing this, please feel free to report the false positive here as well:
https://www.avast.com/en-us/false-positive-file-form.php
That's definitely a false positive. It's all too common with Avast when you search the web for URL:CardStealer β obvious false positives on Google, DigiCert, etc. over several years.
I just reported this false positive to Avast. You can do so as well here:
https://www.avast.com/en-us/false-positive-file-form.php
Capitalism working as designed in the latest releases, where all references to Twitter have been removed.
AddToAny includes both X, with its non-logo, and Twitter too for the time being.
Fixes in the latest release. Thanks all!
Fixes in the latest releases, including the 2.0.x branch.
Fixed in the latest releases. Thanks @sstapleton!
Fixed in the latest releases.
Validators may balk at the uri type but it's actually valid.
AddToAny offers "X" as a separate service:
<a class="a2a_button_x"></a>
Since Drupal now strips empty elements in a Full HTML block, a workaround is to add some span.a2a_label text elements which are visually hidden by AddToAny.
<div class="a2a_kit a2a_kit_size_32 a2a_floating_style a2a_vertical_style" style="left:0px;top:150px;">
<a class="a2a_button_facebook">
<span class="a2a_label">Facebook</span>
</a>
<a class="a2a_button_pinterest">
<span class="a2a_label">Pinterest</span>
</a>
<a class="a2a_button_whatsapp">
<span class="a2a_label">WhatsApp</span>
</a>
<a class="a2a_dd">
<span class="a2a_label">AddToAny</span>
</a>
</div>Patch requirements on the dev branch so this feature can make a stable release:
- Add a new
limit_loadingboolean config option (defaultfalseper #17). - Add the
limit_loadingcheckbox option in AddToAny config > Additional Options:
[ ] Only load AddToAny assets on pages that actively use this module. When enabled, dynamic AddToAny features and custom code may not work on all pages. - In
addtoany_page_attachments(), conditionally attach theaddtoanylibrary based on thelimit_loadingoption. - Attach the
addtoanylibrary to all AddToAny render arrays.
Thanks for the patch β committed to the dev branches and will be in the next releases.
Definitely do not use SRI on page.js β that evergreen file receives important updates and SRI will break it on the very next update.
For site security AddToAny supports a strict content security policy (CSP) with nonces; however, nonces aren't currently straightforward to implement in Drupal (
csp module issue β
,
seckit module issue
β¨
Implement a "semi automatic" Nonce settings
Needs work
), so it's a good idea to explicitly allow specific domains in .htaccess like:
Header add Content-Security-Policy "default-src 'unsafe-inline' https://*.addtoany.com https://*.pinterest.com; img-src 'self' data:;"
This explicitly allows domains such as https://*.addtoany.com (and https://*.pinterest.com if Pinterest is wanted, for example).
Implement meta tags for Twitter Cards:
https://www.addtoany.com/ext/meta-tags/
The Metatag module β is probably good for this if you don't have a solution already.
Thanks @rockhard76 and @majidali for the patches.
#11 is getting close β great work. It had some issues in dev such as initially missing files so we had to revert, but happy to try another patch rolled for 2.0.x-dev.
Patches welcomed to make this feature robust and release-ready.
Fixed in the latest release. Thanks for reporting!
Fixed in the latest release. Thanks for reporting!
Fixed in the latest release. Thanks for reporting!
Some additional work needed is outlined in #20. Patches welcome!
This is a Facebook issue, so you may want to try posting in Facebook's Developer Community Forum.
TikTok & Instagram do not offer proper sharing endpoints for the web, but they're available as follow buttons within AddToAny so you can link to your social media profiles. See:
https://www.addtoany.com/buttons/customize/drupal/follow_buttons
Since the site isn't using nonces, the CSP header needs to be updated to explicitly allow domains such as https://*.addtoany.com (and https://*.pinterest.com if Pinterest is wanted).
In .htaccess it should look something like:
Header add Content-Security-Policy "default-src 'unsafe-inline' https://*.addtoany.com https://*.pinterest.com; img-src 'self' data:;"
@unstatu Nothing in the dev branch yet! A patch per #20 is very welcome for 8.x-1.x & 2.0.x and would be a feature highlight in the next release.
How are you implementing your CSP?
The report in the screenshot is erroneously showing http: for some reason. What tool is that report from?
AddToAny has general guidance on working with a strict CSP where a nonce is the recommended usage:
https://www.addtoany.com/buttons/faq/#content-security-policy
In the Drupal ecosystem it seems that nonces aren't straightforward to implement yet (
csp module β
,
seckit module
β¨
Implement a "semi automatic" Nonce settings
Needs work
), so you'll probably want to include https://*.addtoany.com in an allowlist to generate something like the following HTML meta tag:
<meta http-equiv="Content-Security-Policy"
content="default-src 'unsafe-inline' https://*.addtoany.com https://*.pinterest.com; img-src 'self' data:">The module already loads AddToAny using HTTPS.
AddToAny is secure by default and HSTS preloaded in browsers to ensure it loads over HTTPS only.
Provide block placement info, and link to the new doc on the Follow Buttons block.
Fixed in AddToAny 8.x-1.18 and 2.0.1.