Bug #104125
closed
CSP violation of Sitemap.xsl in XML sitemap
Added by Peter Kraume 5 months ago.
Updated 5 months ago.
Description
The XML sitemap of EXT:seo contains a xml-stylesheet e.g. like this:
<?xml-stylesheet type="text/xsl" href="/_assets/984e6ee9829f85eb447bb6a36455204a/CSS/Sitemap.xsl"?>
When Content Security Policy is enabled for the frontend, the browser console issues an error:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem 'self' 'nonce-5SQacQND6pnXGXg2TxtAJVRyTvzSUddSm8lSmcx5XL7xTh7STYnqLA' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-d0ax6zoVJBeBpy4l3O2FJ6Y1L4SalCWw2x62uoJH15k='), or a nonce ('nonce-...') is required to enable inline execution.
- Status changed from New to Needs Feedback
Problem here is that the XSL file is a static file. So to be able to issue a nonce from within that file (to allow it using inline CSS) it would need to be implemented as a fluid or PHP file and get active. That would mean more processing in this case.
Also, sadly the inline CSS of the XSL file cannot be moved easily to a static file. Because then the URL would need to be included in the static XSL file, but since it's a dynamic _assets/.../ URI, this cannot happen either. Else we would need javascript to calculate a relative URI, but: Inline javascript is not allowed.
The overhead though for implementing a kind of middleware for both the XSL and CSS file is quite high.
I think maybe the impact of not having a HTML/CSS rendering for the sitemap with enabled CSP in the frontend may not be high enough to rectify all of this complexity, what do you think?
I agree, the effort to build a proper solution is not worth it.
Nevertheless it would be nice to prevent the CSP violation.
Maybe by adding a check if CSP is off in the frontend and only then inserting the xsl?
- Is duplicate of Bug #103149: CSP prevents sitemap.xml inline CSS styles added
Yes, you're right. This ticket can be closed then.
- Status changed from Needs Feedback to Closed
Also available in: Atom
PDF