Project

General

Profile

Actions
Copy link

Bug #102690

open

Script generated with "removeDefaultJS = external" has no nonce attribute

Added by Simon Würstle 5 months ago. Updated 5 months ago.

Status:
Accepted
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2023-12-18
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

If you enable [SYS][features][security.frontend.enforceContentSecurityPolicy] and set "config.removeDefaultJS" to "external" (= default), the script tag has no "nonce" attribute and thus the script is blocked by the browser.

Files

Download all files
csp-script-example.png (58.9 KB) csp-script-example.png Benjamin Franzke, 2023-12-19 07:12
Screenshot 2023-12-19 104916.png (19.5 KB) Screenshot 2023-12-19 104916.png Simon Würstle, 2023-12-19 09:49
Actions
Copy link
 #1

Updated by Gerrit Code Review 5 months ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82204

Actions
Copy link
 #2

Updated by Gerrit Code Review 5 months ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82204

Actions
Copy link
 #3

Updated by Benjamin Franzke 5 months ago

Can you share your CSP Policy and the exact CSP error you get?

Questions:

  1. Which script is exactly failing – is it EXT:frontend/Resources/Public/JavaScript/default_frontend.js which is used for email links or another one? (I'm asking because the proposed fix accounts for the mentioned case)
  2. What is your CSP (inspect via browser tools and show the rendered header – it should contain `script-src 'self' – see an example below)
  3. Do you use some kind of CDN for assets/typo3temp?

Actions
Copy link
 #4

Updated by Simon Würstle 5 months ago

Of course, this is my csp.yaml:

inheritDefault: true
mutations:
  - mode: extend
    directive: 'script-src'
    sources:
      - "'strict-dynamic'"

The error is:
"Refused to load the script 'https://foobar.ddev.site/typo3temp/assets/js/ba19e614c16923a947df5b199324c770.js?1694955793' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-e0E_2ThWz9pRG8NgCXsiWt59tHyzQ1pHKmPRbF9zEUtMVqV-O9uOyg' 'strict-dynamic' 'report-sample'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."

Answers to your questions:
  1. it is the script you mentioned (EXT:frontend/Resources/Public/JavaScript/default_frontend.js)
  2. see attached screenshot
  3. no CDN
Actions
Copy link
 #5

Updated by Benjamin Franzke 5 months ago · Edited

  • Status changed from Needs Feedback to Accepted

understood, thanks!

So strict-dynamic again – we already have some implications for strict-dynamic in place, but obviously not enough:
https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/Security/ContentSecurityPolicy/SourceKeyword.php#L60-L66

Ideally would could apply the strict-dynamic implications also during rendering – like `useNonceIfStrictDynamic`
CC @Oliver Hader

Actions
Copy link

Also available in: Atom PDF