Project

General

Profile

Actions
Copy link

Bug #100041

closed

Unexpected warning in environment status check after new CSP default for svg files in resources root htaccess

Added by Patrick Lenk about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Should have
Assignee:
-
Category:
System/Bootstrap/Configuration
Target version:
-
Start date:
2023-02-27
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
CSP, svg, htaccess
Complexity:
Is Regression:
Sprint Focus:

Description

The issue #93884 has been fixed with an updated CSP default for svg files in the resources (fileadmin) root .htaccess file. 

...
# matching requested *.svg files only (allows using inline styles when serving SVG files)
<FilesMatch "\.svg">
    Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'unsafe-inline'; object-src 'none';" 
</FilesMatch>
...

This now leads to an unexpected warning in the environment status check:
Unexpected server response
https://www.mysite.localhost/fileadmin/b1626f66.tmp/531f7264.svg: weak Content-Security-Policy for this location "default-src 'self'; script-src 'none'; style-src 'unsafe-inline'; object-src 'none';"

This could be irritating for an admin as this is the desired CSP for svg files. Maybe the server response check also needs to be updated.

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #93884: fileadmin/.htaccess (resources-root-htaccess) partially blocks SVG filesClosed2021-04-08

Actions
Actions
Copy link

Also available in: Atom PDF