Project

General

Profile

Actions

Bug #103149

open

CSP prevents sitemap.xml inline CSS styles

Added by Josef Glatz about 2 months ago. Updated 17 days ago.

Status:
New
Priority:
Must have
Assignee:
-
Category:
Content Security Policy
Target version:
-
Start date:
2024-02-19
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
13
PHP Version:
Tags:
csp, content-security-policy
Complexity:
Is Regression:
Sprint Focus:

Description

Problem/Description

CSS Inline Styles in the auto generated sitemap.xml feature is blocked by Content Security Policy per default.

Affected: main, 13.0, 12.4

Acceptance Criteria

The styles should work without modifying CSP rules or the sitemap.xml template files.


BTW: what about a dedicated redmine category named "Content Security Policy"?


Related issues 1 (1 open0 closed)

Related to TYPO3 Core - Bug #103567: Sitemap refuses to apply Stylesheet because of CSPNew2024-04-08

Actions
Actions #1

Updated by Timo Webler about 2 months ago

Our current workaround:

class PolicyMutatedEvent
{
    protected string $sitemapPageType = '1533906435';

    public function __invoke(\TYPO3\CMS\Core\Security\ContentSecurityPolicy\Event\PolicyMutatedEvent $event): void
    {
        $request = $this->getRequest();
        if (
            !$event->scope->isFrontendSite() ||
            $request === null ||
            $request->getAttribute('frontend.controller')?->getPageArguments()->getPageType() !== $this->sitemapPageType
        ) {
            return;
        }
        $event->getCurrentPolicy()->set(
            Directive::StyleSrcElem,
            SourceKeyword::unsafeInline
        );
    }

    protected function getRequest(): ?ServerRequestInterface
    {
        return $GLOBALS['TYPO3_REQUEST'];
    }
}
Actions #2

Updated by Benni Mack 17 days ago

  • Category changed from Frontend to Content Security Policy
Actions #3

Updated by Timo Webler 6 days ago

  • Related to Bug #103567: Sitemap refuses to apply Stylesheet because of CSP added
Actions

Also available in: Atom PDF