Bug #101887
closedJavascript error for each module visited on the backend
0%
Description
This issue happens with the latest main (installed using ddev - IDK if it is relevant)
Each time I visit a module on the backend (e.g. the Content Security Policy Module) on the browser console I get the error:
VM9:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-njXWnHjVkLpJzYp0l_dWk-RatlLO4_jfi7U6It22KtiRn8h7T5PKIg' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-FDyPg8CqqIpPAfGVKx1YeKduyLs0ghNYWII21wL+7HM='), or a nonce ('nonce-...') is required to enable inline execution.
The Content Security Policy Module writes an entry for each of these, like:
Details Directive / Disposition script-src-elem / enforce Document URI https://typo3.main.it.ddev.site:8443/typo3/module/tools/csp (1:311) Blocked URI inline Sample ;(function r(e,t=!1){const o="6.0";let i User Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UUID 2ff45b8c-08ec-4d09-8bec-90f8eedf3670 Summary 7110e80b7a9ecff8dc82e8241d4ef774d3cc36cf
Updated by Riccardo De Contardi 8 months ago
[Update] Clicking on some of the Admin Tools module the javascript error looks slightly different:
VM760:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-0sZ4V13jq6RabID3JoA8TsBp5BwWK-DQDKFJNvXx5CkDy1xP9Omlwg'". Either the 'unsafe-inline' keyword, a hash ('sha256-FDyPg8CqqIpPAfGVKx1YeKduyLs0ghNYWII21wL+7HM='), or a nonce ('nonce-...') is required to enable inline execution.
If I am not wrong, these errors ARE NOT traced on the "Content Security Policy" module :/
Updated by Riccardo De Contardi 8 months ago
[Update] using the browser in incognito mode or Firefox seems to prevent this issue
Thanks to Andreas Fernandez who suggested me that some Chrome plugins could be involved in it
I started turning off each plugin one at time until I discovered that the responsible was "Vue.js devtools"
Updated by Riccardo De Contardi 8 months ago
- Status changed from New to Closed
I close this issue for now as it comes from a specific Chrome extension.
If you think that this is the wrong decision and it is worth to investigate it further, please reopen it
Thank you
Updated by Oliver Hader 8 months ago
- Related to Task #100906: Handle CSP violations in browser extensions added