Project

General

Profile

Actions
Copy link

Bug #106561

open

CSP prevents sitemap.xml inline CSS styles with script-src: strict-dynamic

Added by André Buchmann 16 days ago. Updated 16 days ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Content Security Policy
Target version:
-
Start date:
2025-04-11
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
13
PHP Version:
Tags:
csp
Complexity:
Is Regression:
Sprint Focus:

Description

When setting the script-src to "strict-dynamic" the CSS/Sitemap.xsl causes CSP violations:

Refused to load the script 'https://smk.ddev.site/_assets/984e6ee9829f85eb447bb6a36455204a/CSS/Sitemap.xsl' because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'unsafe-inline' https: 'report-sample'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Minimal csp.yaml to reproduce:

inheritDefault: true
mutations:
  - mode: "extend" 
    directive: "script-src" 
    sources:
      - "'strict-dynamic'"

TYPO3 13.4.9

The solution of https://forge.typo3.org/issues/103149 is not compatible with strict-dynamic.

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #103149: CSP prevents sitemap.xml inline CSS stylesResolved2024-02-19

Actions
Actions
Copy link
 #1

Updated by Georg Ringer 16 days ago

  • Related to Bug #103149: CSP prevents sitemap.xml inline CSS styles added
Actions
Copy link
 #2

Updated by Garvin Hicking 16 days ago

  • Category set to Content Security Policy
  • Tags set to csp
Actions
Copy link

Also available in: Atom PDF