Bug #100798
closed
CSP: wildcard is url-encoded
100%
Description
There is one special case with CSP directives, which is not correctly covered right now. Example:
mutations:
- mode: set
directive: 'frame-src'
sources:
- '*'
This leads to "frame-src /%2A;", effectively blocking all sources.
Especially for frame-src this global wildcard is in widespread use, since it is hard to predefine which URLs are allowed to be included in iframes.
Updated by Oliver Hader 12 months ago
Most probably the observation is correct. However, allowing everything contradicts the goal of content security policy - using allowed domains explicitly would be preferred. Would that be possible in your case?
Updated by Gerrit Code Review 12 months ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78933
Updated by Franz Kugelmann 12 months ago
Oliver Hader wrote in #note-1:
Most probably the observation is correct. However, allowing everything contradicts the goal of content security policy - using allowed domains explicitly would be preferred. Would that be possible in your case?
Thanks for the quick response! We take the situation as call-to-action and try to create a list of allowed domains.
Updated by Gerrit Code Review 12 months ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78995
Updated by Oliver Hader 12 months ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 935fd43592302571d46ff15a7aad2965296484ff.