Project

General

Profile

Actions
Copy link

Bug #102057

closed

W3C validator complains about base64 values in CSP

Added by Oliver Hader about 1 year ago. Updated 3 months ago.

Status:
Closed
Priority:
Could have
Assignee:
Oliver Hader
Category:
Content Security Policy
Target version:
-
Start date:
2023-09-28
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
csp
Complexity:
Is Regression:
Sprint Focus:

Description

From https://validator.w3.org/nu/

Warning: Content-Security-Policy HTTP header: Bad content security policy: Invalid base64-value (should be multiple of 4 bytes: 54)

From the specs at https://www.w3.org/TR/CSP3/#framework-directive-source-list

; Nonces: 'nonce-[nonce goes here]'
nonce-source = "'nonce-" base64-value "'"

The base64-value grammar allows both base64 and base64url encoding. These encodings are treated as equivalant when processing hash-source values. Nonces, however, are strict string matches: we use the base64-value grammar to limit the characters available, and reduce the complexity for the server-side operator (encodings, etc), but the user agent doesn’t actually care about any underlying value, nor does it do any decoding of the nonce-source value.

For context, the used nonce value was 'nonce-GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrA'

  • that's GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrA in base64web
  • that's GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrA in base64 (shortened)
  • that's GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrA== in base64 (complete, 56 chars, 56 mod 4 = 0)

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Task #101751: Use ConsumableNonce instead of blunt Nonce in CSP contextClosedOliver Hader2023-08-25

Actions
Actions
Copy link

Also available in: Atom PDF