Project

General

Profile

Actions
Copy link

Bug #101880

closed

Content Security policy causes a type error

Added by Lina Wolf about 1 year ago. Updated 5 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2023-09-08
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

I used the following csp.yaml in my site:

inheritDefault: true
mutations:
  # Results in `default-src 'self'`
  - mode: set
    directive: 'default-src'
    sources:
      - "'self'" 

  # Results in `'unsafe-inline' https://piwik.example.org/  https://service.example.org/
  - mode: extend
    directive: 'unsafe-inline'
    sources:
      - 'https://piwik.example.org/'
      - 'https://service.example.org/'

When I then try to display the frontend I get

(1/1) TypeError
TYPO3\CMS\Core\Security\ContentSecurityPolicy\Mutation::__construct(): Argument #2 ($directive) must be of type TYPO3\CMS\Core\Security\ContentSecurityPolicy\Directive, null given, called in /var/www/html/vendor/typo3/cms-core/Classes/Security/ContentSecurityPolicy/ModelService.php on line 63

The example configuration https://docs.typo3.org/m/typo3/reference-coreapi/12.4/en-us/ApiOverview/ContentSecurityPolicy/Index.html#site-specific-frontend does not cause this error.

Actions
Copy link
 #1

Updated by Oliver Hader about 1 year ago

  • Status changed from New to Needs Feedback

directive: 'unsafe-inline' → this is not a directive, it's a source - it should be something like script-src, style-src or similar - please see the following resources for a list of directives:

Actions
Copy link
 #2

Updated by Lina Wolf about 1 year ago

That is true, but I think we still need some error catching and better errors here when input is unexpected

Actions
Copy link
 #3

Updated by Gerrit Code Review about 1 year ago

  • Status changed from Needs Feedback to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80950

Actions
Copy link
 #4

Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80950

Actions
Copy link
 #5

Updated by Gerrit Code Review about 1 year ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80950

Actions
Copy link
 #6

Updated by Gerrit Code Review about 1 year ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80950

Actions
Copy link
 #7

Updated by Gerrit Code Review about 1 year ago

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80979

Actions
Copy link
 #8

Updated by Oliver Hader about 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #9

Updated by Benni Mack 5 months ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF