Bug #106036
openAdmin panel does not trigger nonce to be consumed
0%
Description
When you activate the admin-panel on a frontend page as a logged-in backend user which does not have a consumed nonce, errors will show up regarding CSP. This is due to the fact the admin panel does add script and link tags with a nonce, which is never been triggered to be consumed, so the nonce does not appear in the frontend content security policy. Only the nonce string is fetched.
Also there are some link and script tags, generated by the admin panel, which do not use inline CSS or JS but refer to files using the src/href attribute, but nevertheless get a nonce attribute. When not using inline, the nonce is not needed.
requirements:- Frontend content security policies enabled
- Page without any nonce (when not logged in)
- Logged in backend user
- The same page opened from the backend
- Admin panel enabled
- Admin panel activated in the page (switch in lower right corner turned from red to green)
Open the console and watch the CSP errors regarding script-src and style-src directives
Updated by Garvin Hicking 11 days ago
Did you by chance test this with v13, too? I somehow think to remember that v13 had (breaking) changes in this regard to make it work.
Updated by Patrick Broens 11 days ago
Garvin Hicking wrote in #note-4:
Did you by chance test this with v13, too? I somehow think to remember that v13 had (breaking) changes in this regard to make it work.
No, I did not. I do not have any installation running on v13 yet.
Updated by Garvin Hicking 11 days ago
Could you maybe help us here and set one up to test?
Updated by Christian Kuhn 10 days ago
ยท Edited
I removed nonce handling at least partially with #104725 in v13 adminpanel since I dropped some inline JS. This may have solved the issue in v13??
Updated by Christian Kuhn 10 days ago
- Related to Task #104725: Massive amount of data stored and transmitted by admin panel added