Bug #102460
closed
Incorrect CSP nonce on additional steps and the confirmation message of the form
Added by Benjamin Robinson about 1 year ago.
Updated 7 months ago.
Description
Precondition: Feature-Toggle "Security: backend enforce content security policy" on.
With additional form steps, error messages (e.g. when validating a mail address) or the confirmation message of the form, an invalid nonce is sent in the header, so that styles and scripts (e.g. <f:asset.css identifier="background-image" useNonce="1" priority="1">) from the main template of the page no longer work. The "previous button" does not work either.
Tested on TYPO3 12.4.7 + 12.4.8
Correction, I meant "Security: frontend enforce content security policy"
I have not tested it but it may be the same error as in https://forge.typo3.org/issues/102438 You can either test if the corresponding patch works or if nonce="{f:security.nonce()}"
works for as a workaround.
- Related to Bug #102438: CSP-Errors after update to 12.4.8 added
Michael Binder wrote in #note-2:
I have not tested it but it may be the same error as in https://forge.typo3.org/issues/102438 You can either test if the corresponding patch works or if nonce="{f:security.nonce()}"
works for as a workaround.
Thanks, yes, both the patch and the workaround work and the scripts and CSS are effective again.
Only the back button of the form …
<button formnovalidate="formnovalidate" class="btn btn-cancel" onclick="document.forms['contactform-55'].submit();" type="button" name="" value="">back</button>
… does not yet work due to the onclick.
- Status changed from New to Under Review
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
- Status changed from Resolved to Closed
Also available in: Atom
PDF