Bug #102248: CSP issues in BE for custom eval rules on input fields - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #102248

closed

CSP issues in BE for custom eval rules on input fields

Added by Claus Harup 6 months ago. Updated 6 months ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Documentation

Target version:

Start date:

2023-10-25

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

8.2

Tags:

csp

Complexity:

Is Regression:

Sprint Focus:

Description

https://docs.typo3.org/m/typo3/reference-tca/main/en-us/ColumnsConfig/Type/Input/Properties/Eval.html#custom-eval-rules

When "backend enforce content security policy" is enabled the final script tag contains no nonce and we get CSP issues :-(

Content-Security-Policy: The page's settings blocked the loading of a resource at inline ("script-src").

<script >
/*<![CDATA[*/
var TBE_EDITOR = TBE_EDITOR || { customEvalFunctions: {} }; TBE_EDITOR.customEvalFunctions['TYPOCONSULT\u005CTcSys\u005CEvaluator\u005CUrlEvaluator'] = function(value) { 
            var returnValue = value;

            if(value.length){
                if(value.substring(0, 7) != 'http://' && value.substring(0, 8) != 'https://'){
                    if(value.indexOf('.') > 0){
                        returnValue = 'https://' + value;
                    } else{
                        returnValue = '';
                    }
                }
            }

            return returnValue;
         };
/*]]>*/
</script>

Actions

Copy link

Updated by Oliver Hader 6 months ago

Category changed from Security to Documentation
Status changed from New to Accepted
Assignee deleted (~~Oliver Hader~~)
Target version deleted (~~next-patchlevel~~)
Tags set to csp

The mentioned functionality for dynamically creating JavaScript has been deprecated with TYPO3 v12.4. Allowing dynamic inline scripts (e.g. by adding a nonce or hash value for all of them) would not add to the security aspects of CSP. Thus, the suggestion is to reduce the amount of inline JavaScript and make that static instead.

→ https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/12.4/Deprecation-100587-DeprecateFormEngineAdditionalJavaScriptPostAndCustomEvalInlineJavaScript.html

It seems, that this part has not been adjusted the combined docs, yet.

Actions

Copy link

Updated by Claus Harup 6 months ago

I changed the setup and it works like a charm.... :-)

import FormEngineValidation from "@typo3/backend/form-engine-validation.js";

export class UrlEvaluator {
    static registerCustomEvaluation(value) {
        FormEngineValidation.registerCustomEvaluation(value, UrlEvaluator.evaluateSourceHost)
    }

    static evaluateSourceHost(value) {
        var returnValue = value;

        if (value.length) {
            if (value.substring(0, 7) !== 'http://' && value.substring(0, 8) !== 'https://') {
                if (value.indexOf('.') > 0) {
                    returnValue = 'https://' + value;
                } else {
                    returnValue = '';
                }
            }
        }

        return returnValue;
    }
}