Task #100140
closed
Epic #87417: Integrate proper Content Security Policy (CSP) handling
Feature #99499: Introduce Content Security Policy handling
Properly handle inline stylesheets
100%
Description
See failing Acceptance Tests in https://git.typo3.org/typo3/CI/cms/-/jobs/2057378
- source
'nonce-...'was given forstyle-src - unsure why a sitemap check (frontend) invokes acceptance tests in the backend
24) SitemapXmlCest: See sitemap xml | "/menu-section-pages"
Test Acceptance/Application/Frontend/SitemapXmlCest.php:seeSitemapXml
Found following JavaScript errors in the browser console:
12:11:55.312 SEVERE - http://web:8000/typo3temp/var/tests/acceptance/typo3/index.php 16 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-p7sAugH1IbHGrW0y_Jf9_kfJA8hS56QuUykpWXQ_b4ahCJucZAcTQg' 'unsafe-inline'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
In order to use stylesheets with nonce sources (implicitly required for 'strict-dynamic' as well)
- inline styles (
style-src-elem) should use a potential nonce - lit-elements need to use the
window.litNoncework-around
How to trigger this behavior?¶
Add the nonce-proxy to the backend CSP style-src declaration like this (or apply trigger.patch):
diff --git a/typo3/sysext/backend/Configuration/ContentSecurityPolicies.php b/typo3/sysext/backend/Configuration/ContentSecurityPolicies.php
index 3a57b2ed4b..8e8fce1450 100644
--- a/typo3/sysext/backend/Configuration/ContentSecurityPolicies.php
+++ b/typo3/sysext/backend/Configuration/ContentSecurityPolicies.php
@@ -24,7 +24,7 @@ return Map::fromEntries([
new Mutation(MutationMode::Extend, Directive::ScriptSrc, SourceKeyword::nonceProxy),
// `style-src 'unsafe-inline'` required for lit in safari and firefox to allow inline <style> tags
// (for browsers that do not support https://caniuse.com/mdn-api_shadowroot_adoptedstylesheets)
- new Mutation(MutationMode::Extend, Directive::StyleSrc, SourceKeyword::unsafeInline),
+ new Mutation(MutationMode::Extend, Directive::StyleSrc, SourceKeyword::unsafeInline, SourceKeyword::nonceProxy),
// `style-src-attr 'unsafe-inline'` required for remaining inline styles, which is okay for color & dimension
// (e.g. `<div style="color: #000">` - but NOT having the possibility to use any other assets/files/URIs)
new Mutation(MutationMode::Set, Directive::StyleSrcAttr, SourceKeyword::unsafeInline),
Then e.g. open the rich-text editor (CKEditor5) or the Table Element Wizard (content element, type table) and you'll get something like the following in the browser console:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'nonce-PniZLZFRhVuOMB_rKhX_dyDW493AwF44_KKMB9Bam6FpdH2lkG0z1g'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
CSP Level3 Specs¶
Note: 'unsafe-inline' is ignored when using a nonce or hashes.
This behavior is decribed in CSP L3 in section 6.7.3.2.:2.1 (https://w3c.github.io/webappsec-csp/#allow-all-inline):
If expression matches the nonce-source or hash-source grammar, return "Does Not Allow".
Files
Updated by Oliver Hader about 1 year ago
- Tracker changed from Feature to Task
- TYPO3 Version set to 12
Updated by Oliver Hader about 1 year ago
- File trigger.patch trigger.patch added
- Description updated (diff)
Updated by Oliver Hader about 1 year ago
Another issue, that was discovered in ext:styleguide (inline <style> in embedded markup)
<span class="t3js-icon icon icon-size-small icon-state-default icon-module-styleguide" data-identifier="module-styleguide">
<span class="icon-markup">
<svg xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid" width="1200" height="1200" viewBox="0 0 1200 1200"><defs><style>.cls-1 { fill: #28882d; } .cls-2 { fill: #fff; fill-rule: evenodd; }</style></defs><path class="cls-1" d="M-1-3h1203v1203H-1z"/><path d="M883.593 825.16L719.466 660.624h93.495c7.076 0 13.2-2.583 18.374-7.757 5.167-5.167 7.757-11.29 7.757-18.372 0-7.075-2.59-13.2-7.756-18.373L667.206 451.587h80.43c7.076 0 13.2-2.584 18.373-7.758 5.167-5.168 7.757-11.292 7.757-18.373 0-7.075-2.59-13.2-7.758-18.373L609.23 250.306c-5.173-5.167-11.297-7.757-18.37-7.757-7.082 0-13.207 2.59-18.374 7.756L415.708 407.084c-5.174 5.174-7.757 11.298-7.757 18.373 0 7.08 2.584 13.205 7.758 18.372 5.167 5.173 11.29 7.757 18.372 7.757h80.43L350.385 616.122c-5.174 5.174-7.758 11.298-7.758 18.373 0 7.08 2.584 13.205 7.758 18.372 5.167 5.174 11.29 7.757 18.372 7.757h93.495L298.125 825.16c-5.173 5.173-7.757 11.298-7.757 18.372 0 7.08 2.584 13.205 7.757 18.373 5.167 5.173 11.292 7.757 18.373 7.757H505.12c-.274 4.625-1.09 16.535-2.45 35.724-1.364 19.19-2.04 33.95-2.04 44.298 0 6.8 2.45 12.587 7.348 17.352 4.9 4.76 10.75 7.145 17.556 7.145h130.65c6.8 0 12.655-2.385 17.555-7.144 4.898-4.765 7.348-10.55 7.348-17.352 0-10.347-.683-25.11-2.042-44.298-1.365-19.19-2.18-31.1-2.45-35.724h188.625c7.075 0 13.2-2.584 18.373-7.757 5.167-5.168 7.757-11.292 7.757-18.373 0-7.074-2.59-13.2-7.757-18.372z" class="cls-2"/></svg>
</span>
</span>
→ reported at https://github.com/TYPO3/styleguide/issues/377
Updated by Gerrit Code Review about 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78231
Updated by Gerrit Code Review about 1 year ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78231
Updated by Gerrit Code Review about 1 year ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78231
Updated by Oliver Hader about 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset dfa794f5fabb301f2d5645716f2ecdbff480dfd7.
Updated by Oliver Hader about 1 year ago
- Related to Bug #100547: Some icons not rendered anymore having strict CSP style-src directive added
Updated by Oliver Hader about 1 year ago
- Related to Task #100667: Apply nonce hint (window.litNonce) on demand only added
Updated by