Actions
Bug #100798
closedCSP: wildcard is url-encoded
Start date:
2023-05-03
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
csp
Complexity:
Is Regression:
Sprint Focus:
Description
There is one special case with CSP directives, which is not correctly covered right now. Example:
mutations:
- mode: set
directive: 'frame-src'
sources:
- '*'
This leads to "frame-src /%2A;", effectively blocking all sources.
Especially for frame-src this global wildcard is in widespread use, since it is hard to predefine which URLs are allowed to be included in iframes.
Actions