Project

General

Profile

Actions
Copy link

Bug #104125

closed

CSP violation of Sitemap.xsl in XML sitemap

Added by Peter Kraume about 1 month ago. Updated 29 days ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
SEO
Target version:
-
Start date:
2024-06-16
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
13
PHP Version:
8.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The XML sitemap of EXT:seo contains a xml-stylesheet e.g. like this:

<?xml-stylesheet type="text/xsl" href="/_assets/984e6ee9829f85eb447bb6a36455204a/CSS/Sitemap.xsl"?>

When Content Security Policy is enabled for the frontend, the browser console issues an error:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem 'self' 'nonce-5SQacQND6pnXGXg2TxtAJVRyTvzSUddSm8lSmcx5XL7xTh7STYnqLA' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-d0ax6zoVJBeBpy4l3O2FJ6Y1L4SalCWw2x62uoJH15k='), or a nonce ('nonce-...') is required to enable inline execution.

Related issues 1 (1 open0 closed)

Is duplicate of TYPO3 Core - Bug #103149: CSP prevents sitemap.xml inline CSS stylesUnder Review2024-02-19

Actions
Actions
Copy link
 #1

Updated by Garvin Hicking 29 days ago

  • Status changed from New to Needs Feedback

Problem here is that the XSL file is a static file. So to be able to issue a nonce from within that file (to allow it using inline CSS) it would need to be implemented as a fluid or PHP file and get active. That would mean more processing in this case.

Also, sadly the inline CSS of the XSL file cannot be moved easily to a static file. Because then the URL would need to be included in the static XSL file, but since it's a dynamic _assets/.../ URI, this cannot happen either. Else we would need javascript to calculate a relative URI, but: Inline javascript is not allowed.

The overhead though for implementing a kind of middleware for both the XSL and CSS file is quite high.

I think maybe the impact of not having a HTML/CSS rendering for the sitemap with enabled CSP in the frontend may not be high enough to rectify all of this complexity, what do you think?

Actions
Copy link
 #2

Updated by Peter Kraume 29 days ago

I agree, the effort to build a proper solution is not worth it.
Nevertheless it would be nice to prevent the CSP violation.
Maybe by adding a check if CSP is off in the frontend and only then inserting the xsl?

Actions
Copy link
 #3

Updated by Wittkiel Gruppe 29 days ago

Duplicate of #103149 ?

Actions
Copy link
 #4

Updated by Peter Kraume 29 days ago

  • Is duplicate of Bug #103149: CSP prevents sitemap.xml inline CSS styles added
Actions
Copy link
 #5

Updated by Peter Kraume 29 days ago

Yes, you're right. This ticket can be closed then.

Actions
Copy link
 #6

Updated by Garvin Hicking 29 days ago

  • Status changed from Needs Feedback to Closed
Actions
Copy link

Also available in: Atom PDF