Bug #100798: CSP: wildcard is url-encoded - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #100798

closed

CSP: wildcard is url-encoded

Added by Franz Kugelmann about 1 year ago. Updated about 1 year ago.

Status:

Resolved

Priority:

Should have

Assignee:

Category:

Frontend

Target version:

12 LTS

Start date:

2023-05-03

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

csp

Complexity:

Is Regression:

Sprint Focus:

Description

There is one special case with CSP directives, which is not correctly covered right now. Example:

mutations:
  - mode: set
    directive: 'frame-src'
    sources:
      - '*'

This leads to "frame-src /%2A;", effectively blocking all sources.
Especially for frame-src this global wildcard is in widespread use, since it is hard to predefine which URLs are allowed to be included in iframes.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Watchers (1)

Bug #100798

CSP: wildcard is url-encoded

Updated by Oliver Hader about 1 year ago

Updated by Oliver Hader about 1 year ago

Updated by Gerrit Code Review about 1 year ago

Updated by Franz Kugelmann about 1 year ago

Updated by Gerrit Code Review about 1 year ago

Updated by Oliver Hader about 1 year ago