TYPO3 Core

I think the problem is that the call $this->setNonce(new ConsumableNonce($value)); in the function updateState in typo3/cms-core/Classes/Page/PageRenderer.php is no longer set directly as a value with the ConsumableString as before, but is first encoded with base64urlEncode.

I have written a patch that only uses base64urlEncode if there is no nonce. Otherwise, the nonce may no longer fit.
With the patch all my error cases are fixed.

Can you please provide the CSP error message shown in the browser console?

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81841

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81893

Almost merged. I'm confirming it was a regression of #101751

As I've discovered and fixed the issue separately, I just wanted to mention that you may want to consider a fix that truly prevents double base64 encoding by checking whether the provided value is a valid base64 string. Here is a complete example:

if ($nonce === null || strlen($nonce) < self::MIN_BYTES) {
    $this->b64 = StringUtility::base64urlEncode(random_bytes(self::MIN_BYTES));
    // Prevents double base64 encoding
} elseif (base64_decode(strtr($nonce, ['-' => '+', '_' => '/']), true)) {
    $this->b64 = $nonce;
} else {
    $this->b64 = StringUtility::base64urlEncode($nonce);
}

For consistency reasons, you would probably want to extend TYPO3\CMS\Core\Utility\StringUtility::base64urlDecode with a second boolean parameter called $strict and then pass it to the built-in PHP base64_decode.

I've created a new issue for the strict base64urlDecode → https://forge.typo3.org/issues/102620