Project

General

Profile

Actions

Bug #102690

open

Script generated with "removeDefaultJS = external" has no nonce attribute

Added by Simon Würstle 12 months ago. Updated about 2 months ago.

Status:
Under Review
Priority:
Should have
Assignee:
Category:
Content Security Policy
Target version:
-
Start date:
2023-12-18
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

If you enable [SYS][features][security.frontend.enforceContentSecurityPolicy] and set "config.removeDefaultJS" to "external" (= default), the script tag has no "nonce" attribute and thus the script is blocked by the browser.


Files

csp-script-example.png (58.9 KB) csp-script-example.png Benjamin Franzke, 2023-12-19 07:12
Screenshot 2023-12-19 104916.png (19.5 KB) Screenshot 2023-12-19 104916.png Simon Würstle, 2023-12-19 09:49
Actions #1

Updated by Gerrit Code Review 12 months ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82204

Actions #2

Updated by Gerrit Code Review 12 months ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82204

Actions #3

Updated by Benjamin Franzke 12 months ago

Can you share your CSP Policy and the exact CSP error you get?

Questions:

  1. Which script is exactly failing – is it EXT:frontend/Resources/Public/JavaScript/default_frontend.js which is used for email links or another one? (I'm asking because the proposed fix accounts for the mentioned case)
  2. What is your CSP (inspect via browser tools and show the rendered header – it should contain `script-src 'self' – see an example below)
  3. Do you use some kind of CDN for assets/typo3temp?

Actions #4

Updated by Simon Würstle 12 months ago

Of course, this is my csp.yaml:

inheritDefault: true
mutations:
  - mode: extend
    directive: 'script-src'
    sources:
      - "'strict-dynamic'" 

The error is:
"Refused to load the script 'https://foobar.ddev.site/typo3temp/assets/js/ba19e614c16923a947df5b199324c770.js?1694955793' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-e0E_2ThWz9pRG8NgCXsiWt59tHyzQ1pHKmPRbF9zEUtMVqV-O9uOyg' 'strict-dynamic' 'report-sample'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."

Answers to your questions:
  1. it is the script you mentioned (EXT:frontend/Resources/Public/JavaScript/default_frontend.js)
  2. see attached screenshot
  3. no CDN
Actions #5

Updated by Benjamin Franzke 12 months ago · Edited

  • Status changed from Needs Feedback to Accepted

understood, thanks!

So strict-dynamic again – we already have some implications for strict-dynamic in place, but obviously not enough:
https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/Security/ContentSecurityPolicy/SourceKeyword.php#L60-L66

Ideally would could apply the strict-dynamic implications also during rendering – like `useNonceIfStrictDynamic`
CC @Oliver Hader

Actions #6

Updated by Garvin Hicking 4 months ago

  • Category set to Content Security Policy
  • Assignee set to Oliver Hader

(Set a category and moved the assignee to Oliver Hader, I hope that's ok - please drop and let me know if I overstepped :) )

Actions #7

Updated by Gerrit Code Review about 2 months ago

  • Status changed from Accepted to Under Review

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82204

Actions

Also available in: Atom PDF