Project

General

Profile

Actions

Bug #102460

closed

Incorrect CSP nonce on additional steps and the confirmation message of the form

Added by Benjamin Robinson about 1 year ago. Updated 5 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Form Framework
Target version:
-
Start date:
2023-11-22
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Precondition: Feature-Toggle "Security: backend enforce content security policy" on.

With additional form steps, error messages (e.g. when validating a mail address) or the confirmation message of the form, an invalid nonce is sent in the header, so that styles and scripts (e.g. <f:asset.css identifier="background-image" useNonce="1" priority="1">) from the main template of the page no longer work. The "previous button" does not work either.

Tested on TYPO3 12.4.7 + 12.4.8


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #102438: CSP-Errors after update to 12.4.8Closed2023-11-21

Actions
Actions #1

Updated by Benjamin Robinson about 1 year ago

Correction, I meant "Security: frontend enforce content security policy"

Actions #2

Updated by Michael Binder about 1 year ago

I have not tested it but it may be the same error as in https://forge.typo3.org/issues/102438 You can either test if the corresponding patch works or if nonce="{f:security.nonce()}" works for as a workaround.

Actions #3

Updated by Benjamin Robinson about 1 year ago

  • Related to Bug #102438: CSP-Errors after update to 12.4.8 added
Actions #4

Updated by Benjamin Robinson about 1 year ago

Michael Binder wrote in #note-2:

I have not tested it but it may be the same error as in https://forge.typo3.org/issues/102438 You can either test if the corresponding patch works or if nonce="{f:security.nonce()}" works for as a workaround.

Thanks, yes, both the patch and the workaround work and the scripts and CSS are effective again.
Only the back button of the form …
<button formnovalidate="formnovalidate" class="btn btn-cancel" onclick="document.forms['contactform-55'].submit();" type="button" name="" value="">back</button>
… does not yet work due to the onclick.

Actions #5

Updated by Gerrit Code Review about 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81878

Actions #6

Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81878

Actions #7

Updated by Gerrit Code Review about 1 year ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81878

Actions #8

Updated by Gerrit Code Review about 1 year ago

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81960

Actions #9

Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81960

Actions #10

Updated by Oliver Hader about 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #11

Updated by Benni Mack 5 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF