Bug #102323
closedCSP issues in BE ckeditor5
Added by Claus Harup 9 months ago. Updated about 1 month ago.
0%
Description
In Firefox I get the following CSP error - only in Firefox
Files
clipboard-202311061210-2iknz.png (72.9 KB) clipboard-202311061210-2iknz.png | Claus Harup, 2023-11-06 11:10 | ||
clipboard-202311061214-ozryz.png (61.4 KB) clipboard-202311061214-ozryz.png | Claus Harup, 2023-11-06 11:14 | ||
clipboard-202311061215-jo2cc.png (61.4 KB) clipboard-202311061215-jo2cc.png | Claus Harup, 2023-11-06 11:15 | ||
clipboard-202311061219-dctfc.png (76.4 KB) clipboard-202311061219-dctfc.png | Claus Harup, 2023-11-06 11:19 | ||
12.4.7-macos-chrome.png (571 KB) 12.4.7-macos-chrome.png | Oliver Hader, 2023-11-06 12:23 | ||
clipboard-202311061345-dwrvz.png (73.9 KB) clipboard-202311061345-dwrvz.png | Claus Harup, 2023-11-06 12:45 | ||
clipboard-202311061351-zlzab.png (115 KB) clipboard-202311061351-zlzab.png | Claus Harup, 2023-11-06 12:51 |
Updated by Claus Harup 9 months ago
UPDATE: It is not only firefox
Updated by Oliver Hader 9 months ago
- Category changed from Security to RTE (rtehtmlarea + ckeditor)
- Assignee deleted (
Oliver Hader) - Target version deleted (
next-patchlevel)
I'm not sure why CKEditor5 needs to eval
code there...
Updated by Oliver Hader 9 months ago
- Status changed from New to Needs Feedback
Hm. I was not able to reproduce that with the recent state of the v12.4 branch. Which TYPO3 version/commit are you using?
Updated by Oliver Hader 9 months ago
- File Screenshot 2023-11-06 at 12.44.21.png added
I was not able to reproduce that in TYPO3 v12.4.7, using the YAML setting editor.config.debug: true
to enable the inspector.
Updated by Oliver Hader 9 months ago
- File deleted (
Screenshot 2023-11-06 at 12.44.21.png)
Updated by Oliver Hader 9 months ago
- File 12.4.7-macos-chrome.png 12.4.7-macos-chrome.png added
Updated by Oliver Hader 9 months ago
Can you provide a script snippet that causes this problem (either by clicking in the console, or it also might be logged in the TYPO3 CSP backend module). It is possible, that browser plugins (e.g. VueJS devtools or similar) are causing these kind of violations...
Updated by Claus Harup 9 months ago
- File clipboard-202311061345-dwrvz.png clipboard-202311061345-dwrvz.png added
- File clipboard-202311061351-zlzab.png clipboard-202311061351-zlzab.png added
Updated by Oliver Hader 9 months ago
Thx. At least I can confirm the implicit eval is in the bundled JavaScript code. The reason seems to be a bundling issue with WebPack and the lack of having a dedicated ES6 module.
Updated by Oliver Hader 9 months ago
- Status changed from Needs Feedback to Accepted
Updated by Oliver Hader 9 months ago
- Subject changed from CSP issues in BE ckeditor - only in firefox to CSP issues in BE ckeditor5
Updated by Georg Ringer 2 months ago
- Status changed from Accepted to Resolved
author states that it is fixed, therefore closing issue