Bug #103190
closed
Unsupported scheme "wss"; must be any empty string or in the set (http, https)
100%
Description
The UriValue class can not work with wss schemes. You will get an exception for Unsupported scheme "wss".
Steps to reproduce:
1. Create a Configuration/ContentSecurityPolicies.php file
2. Add a configuration for a WorkerSrc:
return Map::fromEntries([
Scope::frontend(),
new MutationCollection(
new Mutation(
MutationMode::Append,
Directive::WorkerSrc,
new UriValue('wss://www.example.com:8080'),
),
),
]);
3. Enable CSP checking in frontend
4. Try to load the frontend.
Updated by Georg Großberger 9 months ago
The hardcoded "http" and "https" values for the scheme of an UriValue object also throws errors in other parts of TYPO3 that use the UriValue class.
eg. if the report handler ("/@http-reporting?csp=report&...") receives a JSON body like this:
{
"csp-report": {
"blocked-uri": "https://stats.g.doubleclick.net/j/collect...",
"column-number": 32,
"disposition": "enforce",
"document-uri": "https://www.my.site/slug",
"effective-directive": "connect-src",
"line-number": 36,
"original-policy": "...",
"referrer": "android-app://com.google.android.googlequicksearchbox/",
"script-sample": "",
"source-file": "https://www.google-analytics.com/analytics.js",
"status-code": 200,
"violated-directive": "connect-src"
}
}
an "InvalidArgumentException" exception is thrown because of the android-app:// prefix in the referer.
Updated by Oliver Hader 9 months ago
\TYPO3\CMS\Core\Http\Uri (which is the parent class for UriValue) does not support wss: as scheme - see https://github.com/TYPO3/typo3/blob/450e8a005b080b293dde0acc3f1a1ecb0acbe314/typo3/sysext/core/Classes/Http/Uri.php#L53-L56
For android-app://com.google.android.googlequicksearchbox/" it probably would require a new type, since com.google.android.googlequicksearchbox does not semantically refer to a network authority.
Updated by Gerrit Code Review 9 months ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/83173
Updated by Josef Glatz 9 months ago
Is this something that the core needs to support or do we need to find a solution to prevent these exceptions in logging (log files and/or sentry) in your opinion, @Oliver Hader ?
Updated by Gerrit Code Review 9 months ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/83110
Updated by Oliver Hader 9 months ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset bf8184f2d566c43cec298bd76f10cf85c5992b7c.
Updated by Oliver Hader 6 months ago
- Related to Bug #103935: InvalidArgumentException "Unsupported scheme android-app" in CSP reporter added
Updated by