Bug #102438
closed
CSP-Errors after update to 12.4.8
Added by Michael Binder about 1 year ago.
Updated 5 months ago.
Description
After updating from 12.4.7 to 12.4.8, I am getting CSP error messages, which means that my integrated JavaScripts are no longer running correctly.
I have noticed this behaviour in Fluid with '<f:asset.script useNonce="true"', with the TypoScript integration includeJS(Footer) and via reloaded content from a GoogleMaps integration. All three work correctly after downgrading to version 12.4.7.
If I use Fluid with '<f:asset.script nonce="{f:security.nonce()}"', the integration works without CSP error messages. Of course, this does not work with the GoogleMaps plugin.
Is there anything else I need to set in the CSP config with the new version?
- Status changed from New to Under Review
I think the problem is that the call $this->setNonce(new ConsumableNonce($value));
in the function updateState
in typo3/cms-core/Classes/Page/PageRenderer.php
is no longer set directly as a value with the ConsumableString
as before, but is first encoded with base64urlEncode.
I have written a patch that only uses base64urlEncode if there is no nonce. Otherwise, the nonce may no longer fit.
With the patch all my error cases are fixed.
Can you please provide the CSP error message shown in the browser console?
- Related to Bug #102460: Incorrect CSP nonce on additional steps and the confirmation message of the form added
- Related to Task #101751: Use ConsumableNonce instead of blunt Nonce in CSP context added
Almost merged. I'm confirming it was a regression of #101751
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
As I've discovered and fixed the issue separately, I just wanted to mention that you may want to consider a fix that truly prevents double base64 encoding by checking whether the provided value is a valid base64 string. Here is a complete example:
if ($nonce === null || strlen($nonce) < self::MIN_BYTES) {
$this->b64 = StringUtility::base64urlEncode(random_bytes(self::MIN_BYTES));
// Prevents double base64 encoding
} elseif (base64_decode(strtr($nonce, ['-' => '+', '_' => '/']), true)) {
$this->b64 = $nonce;
} else {
$this->b64 = StringUtility::base64urlEncode($nonce);
}
For consistency reasons, you would probably want to extend TYPO3\CMS\Core\Utility\StringUtility::base64urlDecode
with a second boolean parameter called $strict and then pass it to the built-in PHP base64_decode.
- Related to Task #102620: Add strict parameter to base64url decode added
- Status changed from Resolved to Closed
Also available in: Atom
PDF