Project

General

Profile

Actions

Bug #100558

closed

Content Security Policy: asset 'livereload' is blocked

Added by Henrik Ziegenhain over 1 year ago. Updated 5 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
Start date:
2023-04-12
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.1
Tags:
csp livereload
Complexity:
Is Regression:
Sprint Focus:

Description

Hi,
using this nice feature currently blocks using the CSS and JS Livereload feature during local development.

livereload.js:76 Refused to connect to 'wss://mysite.ddev.site:35729/livereload' because it violates the following Content Security Policy directive: "connect-src 'self' data: *.cookiebot.com *.google-analytics.com".

When allowing the Websocket "wss:" in scp.yaml file
mutations:
  - mode: set
    directive: 'connect-src'
    sources:
      - "'self'" 
      - 'data:'
      - '*.cookiebot.com'
      - '*.google-analytics.com'
      - 'wss:'

This error occurs:
(1/1) #1677261214 InvalidArgumentException
Could not convert source item "wss:" 
in /var/www/html/vendor/typo3/cms-core/Classes/Security/ContentSecurityPolicy/ModelService.php line 68

I think this could be fixed the simple way with adding e new ENUM to \TYPO3\CMS\Core\Security\ContentSecurityPolicy\SourceScheme.php
case wss = 'wss';

But I don't know if this a clean solution.
May someone with deeper CSP Insights can help here.

Actions

Also available in: Atom PDF