Project

General

Profile

Actions

Bug #102323

closed

CSP issues in BE ckeditor5

Added by Claus Harup about 1 year ago. Updated 6 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
RTE (rtehtmlarea + ckeditor)
Target version:
-
Start date:
2023-11-06
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
csp
Complexity:
Is Regression:
Sprint Focus:

Description

In Firefox I get the following CSP error - only in Firefox


Files


Related issues 1 (1 open0 closed)

Related to TYPO3 Core - Bug #105848: CKEditor inspector creates CSP errors + (sometimes) breaks IRRE records (Firefox)New2024-12-19

Actions
Actions #1

Updated by Claus Harup about 1 year ago

UPDATE: It is not only firefox

Actions #2

Updated by Oliver Hader about 1 year ago

  • Category changed from Security to RTE (rtehtmlarea + ckeditor)
  • Assignee deleted (Oliver Hader)
  • Target version deleted (next-patchlevel)

I'm not sure why CKEditor5 needs to eval code there...

Actions #3

Updated by Oliver Hader about 1 year ago

  • Status changed from New to Needs Feedback

Hm. I was not able to reproduce that with the recent state of the v12.4 branch. Which TYPO3 version/commit are you using?

Actions #4

Updated by Claus Harup about 1 year ago

TYPO3 v.12.4.7

Actions #5

Updated by Oliver Hader about 1 year ago

  • File Screenshot 2023-11-06 at 12.44.21.png added

I was not able to reproduce that in TYPO3 v12.4.7, using the YAML setting editor.config.debug: true to enable the inspector.

Actions #6

Updated by Oliver Hader about 1 year ago

  • File deleted (Screenshot 2023-11-06 at 12.44.21.png)
Actions #8

Updated by Oliver Hader about 1 year ago

Can you provide a script snippet that causes this problem (either by clicking in the console, or it also might be logged in the TYPO3 CSP backend module). It is possible, that browser plugins (e.g. VueJS devtools or similar) are causing these kind of violations...

Actions #10

Updated by Oliver Hader about 1 year ago

Thx. At least I can confirm the implicit eval is in the bundled JavaScript code. The reason seems to be a bundling issue with WebPack and the lack of having a dedicated ES6 module.

Actions #11

Updated by Oliver Hader about 1 year ago

  • Status changed from Needs Feedback to Accepted
Actions #12

Updated by Oliver Hader about 1 year ago

  • Subject changed from CSP issues in BE ckeditor - only in firefox to CSP issues in BE ckeditor5
Actions #13

Updated by Georg Ringer 7 months ago

  • Status changed from Accepted to Resolved

author states that it is fixed, therefore closing issue

Actions #14

Updated by Benni Mack 6 months ago

  • Status changed from Resolved to Closed
Actions #15

Updated by Garvin Hicking 26 days ago

  • Related to Bug #105848: CKEditor inspector creates CSP errors + (sometimes) breaks IRRE records (Firefox) added
Actions

Also available in: Atom PDF