Bug #100968
closed
nonce missing from script tags when USER_INT content on page
100%
Description
When a non-cacheable extbase plugin is present on the page, scripts (inline and otherwise) have the nonce attribute on the first page load after flushing the cache. But on subsequent page loads the nonce is missing.
This issue does not seem to occur when all plugins on the page are cached.
The cause appears to be in RequestHandler , where PageRenderer 's nonce property is only set if $controller->isGeneratePage() returns true.
Updated by Oliver Hader 12 months ago
- Status changed from New to Needs Feedback
Does the uncached Extbase plugin set that script tag, or is it just enough to have any COA_INT or USER_INT instruction on that page?
Updated by Oliver Hader 12 months ago
- Status changed from Needs Feedback to Accepted
Confirmed...
The problem is in https://github.com/TYPO3/typo3/blob/96c8577e6d0dec6d0737f488e9819298eb391c40/typo3/sysext/frontend/Classes/Http/RequestHandler.php#L202-L209
In case there are other *_INT cObjects on that page, $pageRenderer->render() is not called, which would have consumed nonces and triggered the permanent nonce substitution in https://github.com/TYPO3/typo3/blob/96c8577e6d0dec6d0737f488e9819298eb391c40/typo3/sysext/frontend/Classes/Http/RequestHandler.php#L144-L151
Updated by Ben McKenzie 12 months ago
Oliver Hader wrote in #note-1:
Does the uncached Extbase plugin set that script tag, or is it just enough to have any
COA_INTorUSER_INTinstruction on that page?
Just confirming that the issue was affecting all scripts (and css) on the page. An uncached plugin just has to be present.
Updated by Oliver Hader 12 months ago
- Related to Bug #100665: Handle dynamic nonce update in cached HTML markup added
Updated by Gerrit Code Review 12 months ago
- Status changed from Accepted to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79206
Updated by Oliver Hader 12 months ago
- Priority changed from Should have to Must have
Updated by Gerrit Code Review 11 months ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79292
Updated by Gerrit Code Review 11 months ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79206
Updated by Gerrit Code Review 11 months ago
Patch set 2 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79292
Updated by Oliver Hader 11 months ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 84a10ba3ad9d66817863a63826fa6488fcf82565.