Bug #102690
open
Script generated with "removeDefaultJS = external" has no nonce attribute
Added by Simon Würstle 7 months ago.
Updated 7 months ago.
Description
If you enable [SYS][features][security.frontend.enforceContentSecurityPolicy] and set "config.removeDefaultJS" to "external" (= default), the script tag has no "nonce" attribute and thus the script is blocked by the browser.
Files
- Status changed from New to Under Review
Can you share your CSP Policy and the exact CSP error you get?
Questions:
- Which script is exactly failing – is it
EXT:frontend/Resources/Public/JavaScript/default_frontend.js which is used for email links or another one? (I'm asking because the proposed fix accounts for the mentioned case)
- What is your CSP (inspect via browser tools and show the rendered header – it should contain `script-src 'self' – see an example below)
- Do you use some kind of CDN for assets/typo3temp?
Of course, this is my csp.yaml:
inheritDefault: true
mutations:
- mode: extend
directive: 'script-src'
sources:
- "'strict-dynamic'"
The error is:
"Refused to load the script 'https://foobar.ddev.site/typo3temp/assets/js/ba19e614c16923a947df5b199324c770.js?1694955793' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-e0E_2ThWz9pRG8NgCXsiWt59tHyzQ1pHKmPRbF9zEUtMVqV-O9uOyg' 'strict-dynamic' 'report-sample'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."
Answers to your questions:
- it is the script you mentioned (EXT:frontend/Resources/Public/JavaScript/default_frontend.js)
- see attached screenshot
- no CDN
- Status changed from Needs Feedback to Accepted
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 