Bug #101169
closedAdmin panel does not allow usage of "nonce"
100%
Description
Within https://github.com/TYPO3/typo3/blob/ae6b8e0dc7788d4d5a278346f6a8cc7671faff55/typo3/sysext/adminpanel/Classes/Utility/ResourceUtility.php#L77 the nonce is not used.
So you can not use value strict-dynamic
for script-src
and must 'self'
.
Addionally the the package symfony/var-dumper
add inline js which also not add respect the nonce value.
The csp error:
Steps to reproduce:
- Login in the TYPO3 backend
- Activate feature
security.frontend.enforceContentSecurityPolicy
- Open the frontend with active admin panel
- Activate the admin panel
- See errors within browser log or within the new csp module
Files
Updated by Oliver Hader 10 months ago
- Is duplicate of Bug #100456: Don't report AdminPanel usages to CSP added
Updated by Oliver Hader 10 months ago
symfony/var-dumper
is fixed with https://review.typo3.org/c/Packages/TYPO3.CMS/+/79204
How can one reproduce the the issue with ResourceUtility
?
Updated by Timo Webler 10 months ago
Oliver Hader wrote in #note-2:
symfony/var-dumper
is fixed with https://review.typo3.org/c/Packages/TYPO3.CMS/+/79204How can one reproduce the the issue with
ResourceUtility
?
Use strict-dynamic
for script-src
instead of self
Refused to load the script 'https://typo3-cms-standard.ddev.site/_assets/0304760f2d5b5a1f133ce43f8d460a02/JavaScript/admin-panel.js' because it violates the following Content Security Policy directive: "script-src-elem 'nonce-k-SiMsIDgLSoLjELO_m8amYQQE2JIcoxoYYGP0S83Xw585n61BwqgQ' 'strict-dynamic' 'report-sample'".
Updated by Oliver Hader 10 months ago
Thx & Confirmed in the markup as well:
<!-- TYPO3 admin panel start --> <link rel="stylesheet" href="/typo3/sysext/adminpanel/Resources/Public/Css/adminpanel.css" media="all" /> <script src="/typo3/sysext/adminpanel/Resources/Public/JavaScript/admin-panel.js"></script>
Updated by Gerrit Code Review 10 months ago
- Status changed from Accepted to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79494
Updated by Oliver Hader 10 months ago
With the patch applied, it would be like this:
<!-- TYPO3 admin panel start --> <link nonce="S8eqSZNcg6zdwzFoGisL0MYRQZ-Ki-8SHjhrO7iRTYK5FSXxv5X7zw" rel="stylesheet" media="all" href="/typo3/sysext/adminpanel/Resources/Public/Css/adminpanel.css" /> <script nonce="S8eqSZNcg6zdwzFoGisL0MYRQZ-Ki-8SHjhrO7iRTYK5FSXxv5X7zw" src="/typo3/sysext/adminpanel/Resources/Public/JavaScript/admin-panel.js"></script>
Updated by Gerrit Code Review 10 months ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79520
Updated by Oliver Hader 10 months ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset a28cfa49e483d6b55e13b928869e47340068f4e5.
Updated by Gerrit Code Review 10 months ago
- Status changed from Resolved to Under Review
Patch set 2 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79520
Updated by Oliver Hader 10 months ago
- Status changed from Under Review to Resolved
Applied in changeset 3ef7ec48659dfc32e55b28449824abfe2719ee8a.