Bug #102377
Updated by Benjamin Franzke 6 months ago
Backend responses must never be cached. The Cache-Control instruction "must-revalidate" implicitly enables caching in order to possibly reuse a response. While that could only happen when two requests to the same URL are invoked withing one second (because the browsers `If-Modified-Since` header and our `Last-Modified` header do match, causing the webserver to issue a 304 response), that is certainly possible in CI setups or fast user clicks. Nightly runs (and new CI) caught following CSP errors that happended because a previous request to the same backend URL was tried to be reused. That means the browser sends a `If-Modified-Since` header, the server compares that to our @Last-Modified@ header and because those match for 1s (given times on server and client are equal), the server responds with a 304 response and new CSP headers. Now, the client uses those new CSP headers on the old (cached) content, causing CSP errors. Log from a previous nightly: https://git.typo3.org/typo3/CI/cms/-/jobs/2719694 errors: <pre> 1) TemplateCest: Open the TypoScript Object Browser and search a keyword. Test Acceptance/Application/Template/TemplateCest.php:searchInTypoScriptActive Step Use existing session "admin" Fail Found following JavaScript errors in the browser console: 01:12:43.964 SEVERE - http://web/typo3/index.php 24 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-q-0rXT6ndm1d4k1PB_skehGuei9NU4RmepZIoI0jaD4t4mptySRwtg' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-mOe1j2nA39ZHBa9vuj8vjm6s1j12BoBxmU5pq+c8myY='), or a nonce ('nonce-...') is required to enable inline execution. 01:12:43.965 SEVERE - http://web/typo3/index.php 28 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-q-0rXT6ndm1d4k1PB_skehGuei9NU4RmepZIoI0jaD4t4mptySRwtg' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-eYBX9tiv0eShqtr6+0ybc98Tpn+++UDyS8IavaWnnig='), or a nonce ('nonce-...') is required to enable inline execution. 01:12:43.985 SEVERE - http://web/typo3/sysext/core/Resources/Public/JavaScript/java-script-item-handler.js?1699903243 12:137 Uncaught TypeError: Failed to resolve module specifier '@typo3/core/java-script-item-processor.js' Scenario Steps: 1. $I->useExistingSession("admin") at Acceptance/Application/Template/TemplateCest.php:26 Artifacts: Png: /builds/typo3/CI/cms/typo3/sysext/core/Tests/../../../../typo3temp/var/tests/AcceptanceReports/TYPO3.CMS.Core.Tests.Acceptance.Application.Template.TemplateCest.searchInTypoScriptActive.headless.fail.png Html: /builds/typo3/CI/cms/typo3/sysext/core/Tests/../../../../typo3temp/var/tests/AcceptanceReports/TYPO3.CMS.Core.Tests.Acceptance.Application.Template.TemplateCest.searchInTypoScriptActive.headless.fail.html FAILURES! Tests: 36, Assertions: 162, Failures: 1. </pre>