Actions
Bug #103149
open
CSP prevents sitemap.xml inline CSS styles
Status:
New
Priority:
Must have
Assignee:
-
Category:
Content Security Policy
Target version:
-
Start date:
2024-02-19
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
13
PHP Version:
Tags:
csp, content-security-policy
Complexity:
Is Regression:
Sprint Focus:
Description
Problem/Description¶
CSS Inline Styles in the auto generated sitemap.xml feature is blocked by Content Security Policy per default.
Affected: main, 13.0, 12.4
Acceptance Criteria¶
The styles should work without modifying CSP rules or the sitemap.xml template files.
BTW: what about a dedicated redmine category named "Content Security Policy"?
Updated by Timo Webler 2 months ago
Our current workaround:
class PolicyMutatedEvent
{
protected string $sitemapPageType = '1533906435';
public function __invoke(\TYPO3\CMS\Core\Security\ContentSecurityPolicy\Event\PolicyMutatedEvent $event): void
{
$request = $this->getRequest();
if (
!$event->scope->isFrontendSite() ||
$request === null ||
$request->getAttribute('frontend.controller')?->getPageArguments()->getPageType() !== $this->sitemapPageType
) {
return;
}
$event->getCurrentPolicy()->set(
Directive::StyleSrcElem,
SourceKeyword::unsafeInline
);
}
protected function getRequest(): ?ServerRequestInterface
{
return $GLOBALS['TYPO3_REQUEST'];
}
}
Updated by Benni Mack 30 days ago
- Category changed from Frontend to Content Security Policy
Updated by Timo Webler 19 days ago
- Related to Bug #103567: Sitemap refuses to apply Stylesheet because of CSP added
Actions