Project

General

Profile

Actions
Copy link

Bug #101887

closed

Javascript error for each module visited on the backend

Added by Riccardo De Contardi 8 months ago. Updated 8 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2023-09-09
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
13
PHP Version:
8.1
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

This issue happens with the latest main (installed using ddev - IDK if it is relevant)

Each time I visit a module on the backend (e.g. the Content Security Policy Module) on the browser console I get the error:

VM9:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-njXWnHjVkLpJzYp0l_dWk-RatlLO4_jfi7U6It22KtiRn8h7T5PKIg' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-FDyPg8CqqIpPAfGVKx1YeKduyLs0ghNYWII21wL+7HM='), or a nonce ('nonce-...') is required to enable inline execution.

The Content Security Policy Module writes an entry for each of these, like:

Details
Directive / Disposition
script-src-elem / enforce
Document URI
https://typo3.main.it.ddev.site:8443/typo3/module/tools/csp (1:311)
Blocked URI
inline
Sample
;(function r(e,t=!1){const o="6.0";let i
User Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
UUID
2ff45b8c-08ec-4d09-8bec-90f8eedf3670
Summary
7110e80b7a9ecff8dc82e8241d4ef774d3cc36cf

Related issues 1 (1 open0 closed)

Related to TYPO3 Core - Task #100906: Handle CSP violations in browser extensionsNew2023-05-20

Actions
Actions
Copy link
 #1

Updated by Riccardo De Contardi 8 months ago

[Update] Clicking on some of the Admin Tools module the javascript error looks slightly different:

VM760:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-0sZ4V13jq6RabID3JoA8TsBp5BwWK-DQDKFJNvXx5CkDy1xP9Omlwg'". Either the 'unsafe-inline' keyword, a hash ('sha256-FDyPg8CqqIpPAfGVKx1YeKduyLs0ghNYWII21wL+7HM='), or a nonce ('nonce-...') is required to enable inline execution.

If I am not wrong, these errors ARE NOT traced on the "Content Security Policy" module :/

Actions
Copy link
 #2

Updated by Riccardo De Contardi 8 months ago

[Update] using the browser in incognito mode or Firefox seems to prevent this issue
Thanks to Andreas Fernandez who suggested me that some Chrome plugins could be involved in it

I started turning off each plugin one at time until I discovered that the responsible was "Vue.js devtools"

Actions
Copy link
 #3

Updated by Riccardo De Contardi 8 months ago

  • Status changed from New to Closed

I close this issue for now as it comes from a specific Chrome extension.

If you think that this is the wrong decision and it is worth to investigate it further, please reopen it

Thank you

Actions
Copy link
 #4

Updated by Oliver Hader 8 months ago

  • Related to Task #100906: Handle CSP violations in browser extensions added
Actions
Copy link

Also available in: Atom PDF