Project

General

Profile

Actions

Bug #106036

open

Admin panel does not trigger nonce to be consumed

Added by Patrick Broens 11 days ago. Updated 10 days ago.

Status:
New
Priority:
Must have
Assignee:
-
Category:
AdminPanel
Target version:
-
Start date:
2025-01-30
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

When you activate the admin-panel on a frontend page as a logged-in backend user which does not have a consumed nonce, errors will show up regarding CSP. This is due to the fact the admin panel does add script and link tags with a nonce, which is never been triggered to be consumed, so the nonce does not appear in the frontend content security policy. Only the nonce string is fetched.

Also there are some link and script tags, generated by the admin panel, which do not use inline CSS or JS but refer to files using the src/href attribute, but nevertheless get a nonce attribute. When not using inline, the nonce is not needed.

requirements:
  • Frontend content security policies enabled
  • Page without any nonce (when not logged in)
  • Logged in backend user
  • The same page opened from the backend
  • Admin panel enabled
  • Admin panel activated in the page (switch in lower right corner turned from red to green)

Open the console and watch the CSP errors regarding script-src and style-src directives


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Task #104725: Massive amount of data stored and transmitted by admin panelClosed2024-08-24

Actions
Actions

Also available in: Atom PDF