Project

General

Profile

Actions

Bug #106036

open

Admin panel does not trigger nonce to be consumed

Added by Patrick Broens 11 days ago. Updated 10 days ago.

Status:
New
Priority:
Must have
Assignee:
-
Category:
AdminPanel
Target version:
-
Start date:
2025-01-30
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

When you activate the admin-panel on a frontend page as a logged-in backend user which does not have a consumed nonce, errors will show up regarding CSP. This is due to the fact the admin panel does add script and link tags with a nonce, which is never been triggered to be consumed, so the nonce does not appear in the frontend content security policy. Only the nonce string is fetched.

Also there are some link and script tags, generated by the admin panel, which do not use inline CSS or JS but refer to files using the src/href attribute, but nevertheless get a nonce attribute. When not using inline, the nonce is not needed.

requirements:
  • Frontend content security policies enabled
  • Page without any nonce (when not logged in)
  • Logged in backend user
  • The same page opened from the backend
  • Admin panel enabled
  • Admin panel activated in the page (switch in lower right corner turned from red to green)

Open the console and watch the CSP errors regarding script-src and style-src directives


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Task #104725: Massive amount of data stored and transmitted by admin panelClosed2024-08-24

Actions
Actions #1

Updated by Patrick Broens 11 days ago

  • Description updated (diff)
Actions #2

Updated by Patrick Broens 11 days ago

  • Description updated (diff)
Actions #3

Updated by Patrick Broens 11 days ago

  • Description updated (diff)
Actions #4

Updated by Garvin Hicking 11 days ago

Did you by chance test this with v13, too? I somehow think to remember that v13 had (breaking) changes in this regard to make it work.

Actions #5

Updated by Patrick Broens 11 days ago

Garvin Hicking wrote in #note-4:

Did you by chance test this with v13, too? I somehow think to remember that v13 had (breaking) changes in this regard to make it work.

No, I did not. I do not have any installation running on v13 yet.

Actions #6

Updated by Garvin Hicking 11 days ago

Could you maybe help us here and set one up to test?

Actions #7

Updated by Christian Kuhn 10 days ago ยท Edited

I removed nonce handling at least partially with #104725 in v13 adminpanel since I dropped some inline JS. This may have solved the issue in v13??

Actions #8

Updated by Christian Kuhn 10 days ago

  • Related to Task #104725: Massive amount of data stored and transmitted by admin panel added
Actions

Also available in: Atom PDF