Bug #101887
closedJavascript error for each module visited on the backend
0%
Description
This issue happens with the latest main (installed using ddev - IDK if it is relevant)
Each time I visit a module on the backend (e.g. the Content Security Policy Module) on the browser console I get the error:
VM9:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-njXWnHjVkLpJzYp0l_dWk-RatlLO4_jfi7U6It22KtiRn8h7T5PKIg' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-FDyPg8CqqIpPAfGVKx1YeKduyLs0ghNYWII21wL+7HM='), or a nonce ('nonce-...') is required to enable inline execution.
The Content Security Policy Module writes an entry for each of these, like:
Details Directive / Disposition script-src-elem / enforce Document URI https://typo3.main.it.ddev.site:8443/typo3/module/tools/csp (1:311) Blocked URI inline Sample ;(function r(e,t=!1){const o="6.0";let i User Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 UUID 2ff45b8c-08ec-4d09-8bec-90f8eedf3670 Summary 7110e80b7a9ecff8dc82e8241d4ef774d3cc36cf
Updated by Riccardo De Contardi 10 months ago
[Update] Clicking on some of the Admin Tools module the javascript error looks slightly different:
VM760:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-0sZ4V13jq6RabID3JoA8TsBp5BwWK-DQDKFJNvXx5CkDy1xP9Omlwg'". Either the 'unsafe-inline' keyword, a hash ('sha256-FDyPg8CqqIpPAfGVKx1YeKduyLs0ghNYWII21wL+7HM='), or a nonce ('nonce-...') is required to enable inline execution.
If I am not wrong, these errors ARE NOT traced on the "Content Security Policy" module :/
Updated by Riccardo De Contardi 10 months ago
[Update] using the browser in incognito mode or Firefox seems to prevent this issue
Thanks to Andreas Fernandez who suggested me that some Chrome plugins could be involved in it
I started turning off each plugin one at time until I discovered that the responsible was "Vue.js devtools"
Updated by Riccardo De Contardi 10 months ago
- Status changed from New to Closed
I close this issue for now as it comes from a specific Chrome extension.
If you think that this is the wrong decision and it is worth to investigate it further, please reopen it
Thank you
Updated by Oliver Hader 10 months ago
- Related to Task #100906: Handle CSP violations in browser extensions added