Actions
Bug #106036
openAdmin panel does not trigger nonce to be consumed
Status:
New
Priority:
Must have
Assignee:
-
Category:
AdminPanel
Target version:
-
Start date:
2025-01-30
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
Complexity:
Is Regression:
Sprint Focus:
Description
When you activate the admin-panel on a frontend page as a logged-in backend user which does not have a consumed nonce, errors will show up regarding CSP. This is due to the fact the admin panel does add script and link tags with a nonce, which is never been triggered to be consumed, so the nonce does not appear in the frontend content security policy. Only the nonce string is fetched.
Also there are some link and script tags, generated by the admin panel, which do not use inline CSS or JS but refer to files using the src/href attribute, but nevertheless get a nonce attribute. When not using inline, the nonce is not needed.
requirements:- Frontend content security policies enabled
- Page without any nonce (when not logged in)
- Logged in backend user
- The same page opened from the backend
- Admin panel enabled
- Admin panel activated in the page (switch in lower right corner turned from red to green)
Open the console and watch the CSP errors regarding script-src and style-src directives
Actions