Project

General

Profile

Actions
Copy link

Bug #92893

closed

SVG sprites are a breaking change, requiring CSP `default-src` to not be 'none'. Otherwise, icons are blocked in Firefox.

Added by Leonie Philine over 3 years ago. Updated 16 days ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
-
Start date:
2020-11-20
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.4
Tags:
pending-close
Complexity:
easy
Is Regression:
Yes
Sprint Focus:

Description

Backend icons are broken in Firefox on sites with a good CSP policy, applying a strict `default-src: 'none'` and using granular controls for e.g. `script-src`, `img-src` etc.

Example of a TYPO3 backend CSP: (Yeah, we don't like unsafe-inline and unsafe-eval, either!)

Content-Security-Policy: default-src 'none'; font-src 'self'; img-src 'self' data:; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; manifest-src 'self'

In Firefox, the SVG Sprite icons (introduced in a security patch version!) are not displayed, because `img-src` does not apply. See bugs:

- https://bugzilla.mozilla.org/show_bug.cgi?id=1303364#c4
- https://github.com/w3c/webappsec-csp/issues/199
- https://github.com/w3c/webappsec-csp/issues/198

This should probably have been a "breaking change" for TYPO3 11, since admins / devops engineers will need to open up the CSP policy now.

Regression, please undo.

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Task #92689: Update @typo3/icons to v2 and support icon spritesClosed2020-10-23

Actions
Related to TYPO3 Core - Bug #95312: SVG Style-Tag CSP-Block / Firefox-BugClosed2021-09-22

Actions
Actions
Copy link
 #1

Updated by Leonie Philine over 3 years ago

Implementation detail:

The new SVG sprites use xlink:href - e.g.:

<use xlink:href="/typo3/sysext/core/Resources/Public/Icons/T3Icons/sprites/apps.svg#apps-pagetree-page-shortcut-external />

However, xlink:href is deprecated:

Actions
Copy link
 #2

Updated by Oliver Hader over 3 years ago

  • Related to Task #92689: Update @typo3/icons to v2 and support icon sprites added
Actions
Copy link
 #3

Updated by Oliver Hader over 3 years ago

Without having it tested... the only work-around for this seems to weaken default-src, but restrict remaining fetch directives.

Any token/hash based grant probably would not work with inline SVGs.

# Fetch directives
Content-Security-Policy: default-src 'self'; connect-src 'self'
Content-Security-Policy: font-src 'self'; img-src 'self' data:
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'
Content-Security-Policy: style-src 'self' 'unsafe-inline'
Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'

# note: media-src was missing, probably should be 'self' instead for a CMS
Content-Security-Policy: child-src 'none'; object-src 'none'; media-src 'none'

# W3C working draft directives
Content-Security-Policy: prefetch-src 'none'; worker-src 'none'

# Document & Navigate directives
Content-Security-Policy: base-uri 'self'; form-action 'self'; manifest-src 'self'

given policy in report

Content-Security-Policy:
  default-src 'none'; connect-src 'self';
  font-src 'self'; img-src 'self' data:;
  script-src 'self' 'unsafe-inline' 'unsafe-eval';
  style-src 'self' 'unsafe-inline';
  frame-src 'self'; frame-ancestors 'self';

  object-src 'none';

  base-uri 'self'; form-action 'self'; manifest-src 'self'
Actions
Copy link
 #4

Updated by Oliver Hader over 2 years ago

  • Related to Bug #95312: SVG Style-Tag CSP-Block / Firefox-Bug added
Actions
Copy link
 #5

Updated by Oliver Hader over 2 years ago

  • Status changed from New to Needs Feedback
Actions
Copy link
 #6

Updated by Oliver Hader over 2 years ago

Tested the following CSP settings in a TYPO3 backend of version 11:

Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; frame-src 'self'; child-src 'none'; object-src 'none'; prefetch-src 'none'; worker-src 'self' blob:;

Side notes:

  • script-src
    • unsafe-eval was removed
    • unsafe-inline is still kept due to CKEditor v4 doing inline magic (basically not using DOM operations, but using document.write)
  • worker-src
    • blob: allowed for muuri.js which is used in the Dashboard view
  • default-src
    • weakened from none to self
    • adjusted child-src, object-src and prefect-src to keep none
Actions
Copy link
 #7

Updated by Oliver Hader over 2 years ago

There's still a lot of things to do for applying real secure CSP settings for the TYPO3 backend (the initially reported rules are not considered secure due to unsafe-eval and unsafe-inline). Please let me know whether the adjusted CSP above fits your needs for the time being. Thanks in advance!

Actions
Copy link
 #8

Updated by Oliver Hader over 1 year ago

  • Tags changed from CSP to pending-close

Could not reproduce in TYPO3 v12.2-dev anymore...

Actions
Copy link
 #9

Updated by Riccardo De Contardi 16 days ago

  • Status changed from Needs Feedback to Closed
  • Target version deleted (Candidate for patchlevel)

Sorry but I close this issue as it seems it affects only v.11 (which is in "Priority bugfix mode")

If you think that this is the wrong decision or experience the issue on more recent TYPO3 versions like 12 or 13 please open a new issue with a reference to this one.

Thank you and best regards

Actions
Copy link

Also available in: Atom PDF