Bug #102690
open
Script generated with "removeDefaultJS = external" has no nonce attribute
0%
Description
If you enable [SYS][features][security.frontend.enforceContentSecurityPolicy] and set "config.removeDefaultJS" to "external" (= default), the script tag has no "nonce" attribute and thus the script is blocked by the browser.
Files
Updated by Gerrit Code Review 11 months ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82204
Updated by Gerrit Code Review 11 months ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82204
Updated by Benjamin Franzke 11 months ago
- File csp-script-example.png csp-script-example.png added
- Status changed from Under Review to Needs Feedback
Can you share your CSP Policy and the exact CSP error you get?
Questions:
- Which script is exactly failing – is it
EXT:frontend/Resources/Public/JavaScript/default_frontend.jswhich is used for email links or another one? (I'm asking because the proposed fix accounts for the mentioned case) - What is your CSP (inspect via browser tools and show the rendered header – it should contain `script-src 'self' – see an example below)
- Do you use some kind of CDN for assets/typo3temp?
Updated by Simon Würstle 11 months ago
Of course, this is my csp.yaml:
inheritDefault: true
mutations:
- mode: extend
directive: 'script-src'
sources:
- "'strict-dynamic'"
The error is:
"Refused to load the script 'https://foobar.ddev.site/typo3temp/assets/js/ba19e614c16923a947df5b199324c770.js?1694955793' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-e0E_2ThWz9pRG8NgCXsiWt59tHyzQ1pHKmPRbF9zEUtMVqV-O9uOyg' 'strict-dynamic' 'report-sample'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."
- it is the script you mentioned (EXT:frontend/Resources/Public/JavaScript/default_frontend.js)
- see attached screenshot
- no CDN
Updated by Benjamin Franzke 11 months ago
· Edited
- Status changed from Needs Feedback to Accepted
understood, thanks!
So strict-dynamic again – we already have some implications for strict-dynamic in place, but obviously not enough:
https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/Security/ContentSecurityPolicy/SourceKeyword.php#L60-L66
Ideally would could apply the strict-dynamic implications also during rendering – like `useNonceIfStrictDynamic`
CC @Oliver Hader
Updated by Garvin Hicking 4 months ago
- Category set to Content Security Policy
- Assignee set to Oliver Hader
(Set a category and moved the assignee to Oliver Hader, I hope that's ok - please drop and let me know if I overstepped :) )
Updated by Gerrit Code Review about 1 month ago
- Status changed from Accepted to Under Review
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82204