Project

General

Profile

Actions

Bug #102377

closed

Backend requests are cached (and used) within 1s timeframe

Added by Benjamin Franzke about 1 year ago. Updated 4 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
System/Bootstrap/Configuration
Start date:
2023-11-16
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Backend responses must never be cached. The Cache-Control instruction "must-revalidate" implicitly enables
caching in order to possibly reuse a response. While that could only happen when two requests to the same URL are
invoked withing one second (because the browsers `If-Modified-Since` header and our `Last-Modified` header
do match, causing the webserver to issue a 304 response), that is certainly possible in CI setups or fast user clicks.

Nightly runs (and new CI) caught following CSP errors that happended because a previous request to the same backend URL
was tried to be reused.
That means the browser sends a `If-Modified-Since` header, the server compares that to our Last-Modified header and because those match for 1s (given times on server and client are equal), the server responds with a 304 response and new CSP headers.

Now, the client uses those new CSP headers on the old (cached) content, causing CSP errors.

Log from a previous nightly: https://git.typo3.org/typo3/CI/cms/-/jobs/2719694

1) TemplateCest: Open the TypoScript Object Browser and search a keyword.
 Test  Acceptance/Application/Template/TemplateCest.php:searchInTypoScriptActive
 Step  Use existing session "admin" 
 Fail  Found following JavaScript errors in the browser console:
01:12:43.964 SEVERE - http://web/typo3/index.php 24 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-q-0rXT6ndm1d4k1PB_skehGuei9NU4RmepZIoI0jaD4t4mptySRwtg' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-mOe1j2nA39ZHBa9vuj8vjm6s1j12BoBxmU5pq+c8myY='), or a nonce ('nonce-...') is required to enable inline execution.
01:12:43.965 SEVERE - http://web/typo3/index.php 28 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-q-0rXT6ndm1d4k1PB_skehGuei9NU4RmepZIoI0jaD4t4mptySRwtg' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-eYBX9tiv0eShqtr6+0ybc98Tpn+++UDyS8IavaWnnig='), or a nonce ('nonce-...') is required to enable inline execution.
01:12:43.985 SEVERE - http://web/typo3/sysext/core/Resources/Public/JavaScript/java-script-item-handler.js?1699903243 12:137 Uncaught TypeError: Failed to resolve module specifier '@typo3/core/java-script-item-processor.js'
Scenario Steps:
 1. $I->useExistingSession("admin") at Acceptance/Application/Template/TemplateCest.php:26
Artifacts:
Png: /builds/typo3/CI/cms/typo3/sysext/core/Tests/../../../../typo3temp/var/tests/AcceptanceReports/TYPO3.CMS.Core.Tests.Acceptance.Application.Template.TemplateCest.searchInTypoScriptActive.headless.fail.png
Html: /builds/typo3/CI/cms/typo3/sysext/core/Tests/../../../../typo3temp/var/tests/AcceptanceReports/TYPO3.CMS.Core.Tests.Acceptance.Application.Template.TemplateCest.searchInTypoScriptActive.headless.fail.html
FAILURES!
Tests: 36, Assertions: 162, Failures: 1.
Actions

Also available in: Atom PDF