Bug #104125
closedCSP violation of Sitemap.xsl in XML sitemap
0%
Description
The XML sitemap of EXT:seo contains a xml-stylesheet e.g. like this:
<?xml-stylesheet type="text/xsl" href="/_assets/984e6ee9829f85eb447bb6a36455204a/CSS/Sitemap.xsl"?>
When Content Security Policy is enabled for the frontend, the browser console issues an error:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem 'self' 'nonce-5SQacQND6pnXGXg2TxtAJVRyTvzSUddSm8lSmcx5XL7xTh7STYnqLA' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-d0ax6zoVJBeBpy4l3O2FJ6Y1L4SalCWw2x62uoJH15k='), or a nonce ('nonce-...') is required to enable inline execution.
Updated by Garvin Hicking 29 days ago
- Status changed from New to Needs Feedback
Problem here is that the XSL file is a static file. So to be able to issue a nonce from within that file (to allow it using inline CSS) it would need to be implemented as a fluid or PHP file and get active. That would mean more processing in this case.
Also, sadly the inline CSS of the XSL file cannot be moved easily to a static file. Because then the URL would need to be included in the static XSL file, but since it's a dynamic _assets/.../ URI, this cannot happen either. Else we would need javascript to calculate a relative URI, but: Inline javascript is not allowed.
The overhead though for implementing a kind of middleware for both the XSL and CSS file is quite high.
I think maybe the impact of not having a HTML/CSS rendering for the sitemap with enabled CSP in the frontend may not be high enough to rectify all of this complexity, what do you think?
Updated by Peter Kraume 29 days ago
I agree, the effort to build a proper solution is not worth it.
Nevertheless it would be nice to prevent the CSP violation.
Maybe by adding a check if CSP is off in the frontend and only then inserting the xsl?
Updated by Peter Kraume 29 days ago
- Is duplicate of Bug #103149: CSP prevents sitemap.xml inline CSS styles added
Updated by Peter Kraume 29 days ago
Yes, you're right. This ticket can be closed then.
Updated by Garvin Hicking 29 days ago
- Status changed from Needs Feedback to Closed