Bug #100798
closed
CSP: wildcard is url-encoded
100%
Description
There is one special case with CSP directives, which is not correctly covered right now. Example:
mutations:
- mode: set
directive: 'frame-src'
sources:
- '*'
This leads to "frame-src /%2A;", effectively blocking all sources.
Especially for frame-src this global wildcard is in widespread use, since it is hard to predefine which URLs are allowed to be included in iframes.
Updated by Oliver Hader over 1 year ago
Most probably the observation is correct. However, allowing everything contradicts the goal of content security policy - using allowed domains explicitly would be preferred. Would that be possible in your case?
Updated by Gerrit Code Review over 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78933
Updated by Franz Kugelmann over 1 year ago
Oliver Hader wrote in #note-1:
Most probably the observation is correct. However, allowing everything contradicts the goal of content security policy - using allowed domains explicitly would be preferred. Would that be possible in your case?
Thanks for the quick response! We take the situation as call-to-action and try to create a list of allowed domains.
Updated by Gerrit Code Review over 1 year ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78995
Updated by Oliver Hader over 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 935fd43592302571d46ff15a7aad2965296484ff.
Updated by