Bug #102248
closedCSP issues in BE for custom eval rules on input fields
0%
Description
When "backend enforce content security policy" is enabled the final script tag contains no nonce and we get CSP issues :-(
Content-Security-Policy: The page's settings blocked the loading of a resource at inline ("script-src").
<script >
/*<![CDATA[*/
var TBE_EDITOR = TBE_EDITOR || { customEvalFunctions: {} }; TBE_EDITOR.customEvalFunctions['TYPOCONSULT\u005CTcSys\u005CEvaluator\u005CUrlEvaluator'] = function(value) {
var returnValue = value;
if(value.length){
if(value.substring(0, 7) != 'http://' && value.substring(0, 8) != 'https://'){
if(value.indexOf('.') > 0){
returnValue = 'https://' + value;
} else{
returnValue = '';
}
}
}
return returnValue;
};
/*]]>*/
</script>
Updated by Oliver Hader about 1 year ago
- Category changed from Security to Documentation
- Status changed from New to Accepted
- Assignee deleted (
Oliver Hader) - Target version deleted (
next-patchlevel) - Tags set to csp
The mentioned functionality for dynamically creating JavaScript has been deprecated with TYPO3 v12.4. Allowing dynamic inline scripts (e.g. by adding a nonce or hash value for all of them) would not add to the security aspects of CSP. Thus, the suggestion is to reduce the amount of inline JavaScript and make that static instead.
It seems, that this part has not been adjusted the combined docs, yet.
Updated by Claus Harup about 1 year ago
I changed the setup and it works like a charm.... :-)
import FormEngineValidation from "@typo3/backend/form-engine-validation.js";
export class UrlEvaluator {
static registerCustomEvaluation(value) {
FormEngineValidation.registerCustomEvaluation(value, UrlEvaluator.evaluateSourceHost)
}
static evaluateSourceHost(value) {
var returnValue = value;
if (value.length) {
if (value.substring(0, 7) !== 'http://' && value.substring(0, 8) !== 'https://') {
if (value.indexOf('.') > 0) {
returnValue = 'https://' + value;
} else {
returnValue = '';
}
}
}
return returnValue;
}
}
Updated by Oliver Hader about 1 year ago
→ issue in the docs issue tracker: https://github.com/TYPO3-Documentation/TYPO3CMS-Reference-TCA/issues/845