Bug #93884
closed
fileadmin/.htaccess (resources-root-htaccess) partially blocks SVG files
Added by Marco H over 3 years ago. Updated almost 2 years ago.
100%
Description
So with version 10.4.11, the file "resources-root-htaccess", which generates .htaccess inside fileadmin, has been updated to a stricter CSP.
This causes problems with SVG files uploaded since SVG files may contain style and script tags, also style attributes. The SVG may then be all black or lack animation.
Would the best approach be to match svg files (like it is done with pdf) and change the CSP?
Files
| test.svg (1.53 KB) test.svg | Marco H, 2021-05-14 21:08 | ||
| resources-root-htaccess (1.89 KB) resources-root-htaccess | Andreas Hager, 2021-08-19 17:57 | ||
| svg-style.svg (921 Bytes) svg-style.svg | Test SVG for CSP | Oliver Hader, 2022-08-31 09:59 |
Updated by Georg Ringer over 3 years ago
- Related to Bug #93035: fileadmin/.htaccess prevents Safari from accessing PDF files (after latest security update) added
Updated by Georg Ringer over 3 years ago
- Status changed from New to Needs Feedback
can you check if this is still the case in latest versions, after changes of #93035
Updated by Marco H over 3 years ago
Still an issue with 10.4.16
To reproduce the issue best, upload it in fileadmin and click on "show" (error not as reliably reproducible when used in img-tag).
I've attached an svg-file for testing, it causes a CSP inline style error:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-sC0BVe7Sre2mjplSlS8Lw5K2vnLaWV+cQjtuz6e2u+Y='), or a nonce ('nonce-...') is required to enable inline execution.
Updated by Andreas Hager over 3 years ago
- File resources-root-htaccess resources-root-htaccess added
Still an issue with TYPO3 v10.4.20
We have the same problem that our customers upload SVGs with inline styles and they are not allowed due to CSP rule.
We change the following code to allow inline styles for SVGs (complete file attached).
<FilesMatch "\.pdf$">
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
</FilesMatch>
+ # matching requested *.svg files only (allow inline styles for SVGs)
+ <FilesMatch "\.svg$">
+ Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'unsafe-inline'; object-src 'none';"
+ </FilesMatch>
# matching anything else, using negative lookbehind pattern
- <FilesMatch "(?<!\.pdf)$">
+ <FilesMatch "(?<!\.(pdf|svg))$">
Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
</FilesMatch>
Hope this helps! :)
Updated by Oliver Hader about 2 years ago
- File svg-style.svg svg-style.svg added
Using directive style-src 'unsafe-inline' for .svg files seems to be fine (not talking about inline SVG embedded in HTML - which is totally different).
Attached test file svg-style.svg tries to load external CSS resources (e.g. used for IP sniffing, data-privacy related). CSP still should block these kind of requests.
Updated by Gerrit Code Review about 2 years ago
- Status changed from Needs Feedback to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75594
Updated by Gerrit Code Review about 2 years ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75594
Updated by Gerrit Code Review about 2 years ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75594
Updated by Sven Burkert almost 2 years ago
- Priority changed from Should have to Must have
- Complexity set to easy
@Andreas Hager Thank you:)
I'm wondering why this hasn't been implemented in TYPO3 yet. Every TYPO3 system is affected by this when using SVGs.
Why is the review taking so long?
Updated by Gerrit Code Review almost 2 years ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75594
Updated by Oliver Hader almost 2 years ago
- Related to Bug #95312: SVG Style-Tag CSP-Block / Firefox-Bug added
Updated by Oliver Hader almost 2 years ago
- Related to deleted (Bug #95312: SVG Style-Tag CSP-Block / Firefox-Bug)
Updated by Oliver Hader almost 2 years ago
- Has duplicate Bug #95312: SVG Style-Tag CSP-Block / Firefox-Bug added
Updated by Oliver Hader almost 2 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 1e026a625eb1727f8d78573bb66462087392010d.
Updated by Gerrit Code Review almost 2 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77456
Updated by Gerrit Code Review almost 2 years ago
Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77457
Updated by Oliver Hader almost 2 years ago
- Status changed from Under Review to Resolved
Applied in changeset a0c0e57a7b264fe527aee74062af5d3dbb882c51.
Updated by Benni Mack almost 2 years ago
- Status changed from Resolved to Closed
Updated by Georg Ringer over 1 year ago
- Related to Bug #100041: Unexpected warning in environment status check after new CSP default for svg files in resources root htaccess added