Actions
Bug #101169
closedAdmin panel does not allow usage of "nonce"
Status:
Resolved
Priority:
Should have
Assignee:
-
Category:
AdminPanel
Target version:
-
Start date:
2023-06-26
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
12
PHP Version:
8.1
Tags:
Complexity:
Is Regression:
Sprint Focus:
Description
Within https://github.com/TYPO3/typo3/blob/ae6b8e0dc7788d4d5a278346f6a8cc7671faff55/typo3/sysext/adminpanel/Classes/Utility/ResourceUtility.php#L77 the nonce is not used.
So you can not use value strict-dynamic
for script-src
and must 'self'
.
Addionally the the package symfony/var-dumper
add inline js which also not add respect the nonce value.
The csp error:
Steps to reproduce:
- Login in the TYPO3 backend
- Activate feature
security.frontend.enforceContentSecurityPolicy
- Open the frontend with active admin panel
- Activate the admin panel
- See errors within browser log or within the new csp module
Files
Actions