Task #91216

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Task #91785: Refactor and remove inline styles in backend

Replace <style> for compliance with CSP header

Added by TYPO3 GmbH TYPO3com about 2 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2020-04-28
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

SVG is not loaded when the Content-Security-Policy header contains the widely used setting "style-src 'self';" because then the browser must rejects to load external files containing styles. In this case a black rectangle is displayed.
Using attributes instead of styles is compliant with CSP "style-src 'self';" and the file will be loaded.

This issue was automatically created from https://github.com/TYPO3/TYPO3.CMS/pull/247

#1

Updated by Gerrit Code Review about 2 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64331

#2

Updated by Gerrit Code Review almost 2 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64331

#3

Updated by Oliver Hader almost 2 years ago

  • Parent task set to #91785
#4

Updated by Riccardo De Contardi over 1 year ago

quick search for the string style= inside the core files:

typo3/sysext/install/Resources/Public/Images/TestInput/Test.svg
typo3/sysext/core/Tests/Functional/Imaging/Fixtures/file.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/information.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/content.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/modulegroup.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/files.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/apps.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/actions.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/install.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/mimetypes.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/default.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/miscellaneous.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/form.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/spinner.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/overlay.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/module.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/status.svg
typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/avatar.svg
typo3/sysext/redirects/Resources/Public/Icons/Extension.svg
typo3/sysext/redirects/Resources/Public/Icons/mimetypes-x-sys_redirect.svg

should an issue on https://github.com/TYPO3/TYPO3.Icons be opened?

#5

Updated by Riccardo De Contardi over 1 year ago

  • Category set to Security
#6

Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64331

#7

Updated by Gerrit Code Review over 1 year ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64331

#8

Updated by Gerrit Code Review over 1 year ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67693

#9

Updated by Ute Flierl over 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#10

Updated by Benni Mack about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF