Bug #102460
closedIncorrect CSP nonce on additional steps and the confirmation message of the form
100%
Description
Precondition: Feature-Toggle "Security: backend enforce content security policy" on.
With additional form steps, error messages (e.g. when validating a mail address) or the confirmation message of the form, an invalid nonce is sent in the header, so that styles and scripts (e.g. <f:asset.css identifier="background-image" useNonce="1" priority="1">) from the main template of the page no longer work. The "previous button" does not work either.
Tested on TYPO3 12.4.7 + 12.4.8
Updated by Benjamin Robinson about 1 year ago
Correction, I meant "Security: frontend enforce content security policy"
Updated by Michael Binder about 1 year ago
I have not tested it but it may be the same error as in https://forge.typo3.org/issues/102438 You can either test if the corresponding patch works or if nonce="{f:security.nonce()}"
works for as a workaround.
Updated by Benjamin Robinson about 1 year ago
- Related to Bug #102438: CSP-Errors after update to 12.4.8 added
Updated by Benjamin Robinson about 1 year ago
Michael Binder wrote in #note-2:
I have not tested it but it may be the same error as in https://forge.typo3.org/issues/102438 You can either test if the corresponding patch works or if
nonce="{f:security.nonce()}"
works for as a workaround.
Thanks, yes, both the patch and the workaround work and the scripts and CSS are effective again.
Only the back button of the form …<button formnovalidate="formnovalidate" class="btn btn-cancel" onclick="document.forms['contactform-55'].submit();" type="button" name="" value="">back</button>
… does not yet work due to the onclick.
Updated by Gerrit Code Review about 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81878
Updated by Gerrit Code Review about 1 year ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81878
Updated by Gerrit Code Review about 1 year ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81878
Updated by Gerrit Code Review about 1 year ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81960
Updated by Gerrit Code Review about 1 year ago
Patch set 2 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81960
Updated by Oliver Hader about 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 2a72b5900617fe393372dc355d0699a0fd8aaf35.