Bug #93035

fileadmin/.htaccess prevents Safari from accessing PDF files (after latest security update)

Added by Alex Kellner 7 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2020-12-09
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

It seems that https://github.com/TYPO3/TYPO3.CMS/commit/444b05e6948829b7fb9e33cdb546f4cd9ec0ac9e or #92835 introduced a .htaccess file in fileadmin folder.

For whatever reason Safari on Desktop (e.g. version 14) blocks requests to pdf when this header is set (TYPO3 version 9.5.23):
Content-Security Policy: object-src 'none'

Here is s a german discussion about the Safari issue: https://www.apfeltalk.de/community/threads/safari-blockiert-ploetzlich-alle-pdfs.555787/


Files

before_a.png (65.7 KB) before_a.png Oliver Hader, 2020-12-10 13:28
before_b.png (76.6 KB) before_b.png Oliver Hader, 2020-12-10 13:28

Related issues

Related to TYPO3 Core - Bug #93884: fileadmin/.htaccess (resources-root-htaccess) partially blocks SVG filesNeeds Feedback2021-04-08

Actions
#1

Updated by Oliver Hader 7 months ago

(posted by @Peter Schuler at https://typo3.slack.com/archives/C0K5MU94J/p1605704844039500)

I dug a bit: to enable the plugin in Safari for my testcase object-src 'self'; is necessary, to drop console warnings additionally style-src 'unsafe-inline' thus resulting in:

<IfModule mod_headers.c>
  Header set Content-Security-Policy "default-src 'self'; style-src 'unsafe-inline'; script-src 'none'; object-src 'self';" 
</IfModule>

Which is of course a lot unsafer as it only establishes the CSP for JavaScript and a little bit for CSS, but as the aim is XSS and core probably doesn’t have any embed/object stuff this might be considered (by someone with more experience than me).
Thus for the time being perhaps a browser condition might be helpful:

<IfModule mod_headers.c>
  # global rule
  Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';" 
  # override for Safari PDF viewer case
  Header set Content-Security-Policy "default-src 'self'; style-src 'unsafe-inline'; script-src 'none'; object-src 'self';" "expr=%{HTTP_USER_AGENT} =~ m#AppleWebKit(.*)Version(.*)Safari(.*)#" 
</IfModule>

(The user agent detection at the back is necessary as “AppleWebKit” and “Safari” are also part of Chromes user string).
This is as far as my knowledge might help.

#2

Updated by Oliver Hader 7 months ago

Worked on an alternative here:

<IfModule mod_headers.c>
    # matching requested *.pdf files only (strict rules block Safari showing PDF documents)
    <FilesMatch "\.pdf$">
        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;" 
    </FilesMatch>
    # matching anything else, using negative lookbehind pattern
    <FilesMatch "(?<!\.pdf)$">
        Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';" 
    </FilesMatch>
</IfModule>
#3

Updated by Gerrit Code Review 7 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67081

#4

Updated by Oliver Hader 7 months ago

@Alex can you please verify whether the references patch at review.typo3.org solves the problem you described? Thanks in advance for your feedback!

#5

Updated by Oliver Hader 7 months ago

  • File Screen Shot 2020-12-10 at 14.25.16.png added
  • File Screen Shot 2020-12-10 at 14.25.36.png added
#6

Updated by Oliver Hader 7 months ago

  • File deleted (Screen Shot 2020-12-10 at 14.25.16.png)
#7

Updated by Oliver Hader 7 months ago

  • File deleted (Screen Shot 2020-12-10 at 14.25.36.png)
#8

Updated by Oliver Hader 7 months ago

This is how it looked before this patch in Safari


#9

Updated by Alex Kellner 7 months ago

@Oliver: I have no idea how to work with review.typo3.org. Nevertheless I tested both configurations and both are working:

<IfModule mod_headers.c>
  # global rule
  Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';" 
  # override for Safari PDF viewer case
  Header set Content-Security-Policy "default-src 'self'; style-src 'unsafe-inline'; script-src 'none'; object-src 'self';" "expr=%{HTTP_USER_AGENT} =~ m#AppleWebKit(.*)Version(.*)Safari(.*)#" 
</IfModule>
<IfModule mod_headers.c>
    # matching requested *.pdf files only (strict rules block Safari showing PDF documents)
    <FilesMatch "\.pdf$">
        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;" 
    </FilesMatch>
    # matching anything else, using negative lookbehind pattern
    <FilesMatch "(?<!\.pdf)$">
        Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';" 
    </FilesMatch>
</IfModule>
#10

Updated by Gerrit Code Review 7 months ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67087

#11

Updated by Gerrit Code Review 7 months ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/67088

#12

Updated by Oliver Hader 6 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#13

Updated by Benni Mack 6 months ago

  • Status changed from Resolved to Closed
#14

Updated by Georg Ringer about 1 month ago

  • Related to Bug #93884: fileadmin/.htaccess (resources-root-htaccess) partially blocks SVG files added

Also available in: Atom PDF