Bug #102690: Script generated with "removeDefaultJS = external" has no nonce attribute - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Watchers (6)

Benjamin Franzke
Garvin Hicking
Nicole Zingg
Oliver Hader
Simon Würstle
Tilo Baller

Actions

Copy link

Bug #102690

open

Script generated with "removeDefaultJS = external" has no nonce attribute

Added by Simon Würstle 11 months ago. Updated about 1 month ago.

Status:

Under Review

Priority:

Should have

Assignee:

Oliver Hader

Category:

Content Security Policy

Target version:

Start date:

2023-12-18

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

8.2

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

If you enable [SYS][features][security.frontend.enforceContentSecurityPolicy] and set "config.removeDefaultJS" to "external" (= default), the script tag has no "nonce" attribute and thus the script is blocked by the browser.

Files

Download all files

csp-script-example.png (58.9 KB) csp-script-example.png		Benjamin Franzke, 2023-12-19 07:12
Screenshot 2023-12-19 104916.png (19.5 KB) Screenshot 2023-12-19 104916.png		Simon Würstle, 2023-12-19 09:49

History
Notes
Property changes

Actions

Copy link

Updated by Gerrit Code Review 11 months ago

Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82204

Actions

Copy link

Updated by Gerrit Code Review 11 months ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82204

Actions

Copy link

Updated by Benjamin Franzke 11 months ago

File csp-script-example.png csp-script-example.png added
Status changed from Under Review to Needs Feedback

Can you share your CSP Policy and the exact CSP error you get?

Questions:

Which script is exactly failing – is it EXT:frontend/Resources/Public/JavaScript/default_frontend.js which is used for email links or another one? (I'm asking because the proposed fix accounts for the mentioned case)
What is your CSP (inspect via browser tools and show the rendered header – it should contain `script-src 'self' – see an example below)
Do you use some kind of CDN for assets/typo3temp?

Actions

Copy link

Updated by Simon Würstle 11 months ago

File Screenshot 2023-12-19 104916.png Screenshot 2023-12-19 104916.png added

Of course, this is my csp.yaml:

inheritDefault: true
mutations:
  - mode: extend
    directive: 'script-src'
    sources:
      - "'strict-dynamic'"

The error is:
"Refused to load the script 'https://foobar.ddev.site/typo3temp/assets/js/ba19e614c16923a947df5b199324c770.js?1694955793' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-e0E_2ThWz9pRG8NgCXsiWt59tHyzQ1pHKmPRbF9zEUtMVqV-O9uOyg' 'strict-dynamic' 'report-sample'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."

Answers to your questions:

it is the script you mentioned (EXT:frontend/Resources/Public/JavaScript/default_frontend.js)
see attached screenshot
no CDN

Actions

Copy link

Updated by Benjamin Franzke 11 months ago · Edited

Status changed from Needs Feedback to Accepted

understood, thanks!

So strict-dynamic again – we already have some implications for strict-dynamic in place, but obviously not enough:
https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/Security/ContentSecurityPolicy/SourceKeyword.php#L60-L66

Ideally would could apply the strict-dynamic implications also during rendering – like `useNonceIfStrictDynamic`
CC @Oliver Hader

Actions

Copy link

Updated by Garvin Hicking 4 months ago

Category set to Content Security Policy
Assignee set to Oliver Hader

(Set a category and moved the assignee to Oliver Hader, I hope that's ok - please drop and let me know if I overstepped :) )

Actions

Copy link

Updated by Gerrit Code Review about 1 month ago

Status changed from Accepted to Under Review

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82204

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Watchers (6)

Bug #102690

Script generated with "removeDefaultJS = external" has no nonce attribute

Updated by Gerrit Code Review 11 months ago

Updated by Gerrit Code Review 11 months ago

Updated by Benjamin Franzke 11 months ago

Updated by Simon Würstle 11 months ago

Updated by Benjamin Franzke 11 months ago · Edited

Updated by Garvin Hicking 4 months ago

Updated by Gerrit Code Review about 1 month ago