Actions
Bug #100558
closed
Content Security Policy: asset 'livereload' is blocked
Start date:
2023-04-12
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
12
PHP Version:
8.1
Tags:
csp livereload
Complexity:
Is Regression:
Sprint Focus:
Description
Hi,
using this nice feature currently blocks using the CSS and JS Livereload feature during local development.
livereload.js:76 Refused to connect to 'wss://mysite.ddev.site:35729/livereload' because it violates the following Content Security Policy directive: "connect-src 'self' data: *.cookiebot.com *.google-analytics.com".
When allowing the Websocket "wss:" in scp.yaml file
mutations:
- mode: set
directive: 'connect-src'
sources:
- "'self'"
- 'data:'
- '*.cookiebot.com'
- '*.google-analytics.com'
- 'wss:'
This error occurs:
(1/1) #1677261214 InvalidArgumentException Could not convert source item "wss:" in /var/www/html/vendor/typo3/cms-core/Classes/Security/ContentSecurityPolicy/ModelService.php line 68
I think this could be fixed the simple way with adding e new ENUM to \TYPO3\CMS\Core\Security\ContentSecurityPolicy\SourceScheme.php
case wss = 'wss';
But I don't know if this a clean solution.
May someone with deeper CSP Insights can help here.
Updated by Oliver Hader about 1 year ago
- Status changed from New to Accepted
Adding schemes ws: and wss: makes sense.
Updated by Gerrit Code Review about 1 year ago
- Status changed from Accepted to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78605
Updated by Oliver Hader about 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset ca03f88aa894587cb4eca1e8e0425693cc93bae0.
Actions