Bug #95312: SVG Style-Tag CSP-Block / Firefox-Bug - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #95312

closed

SVG Style-Tag CSP-Block / Firefox-Bug

Added by Neobe Parlot over 2 years ago. Updated about 1 year ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Install Tool

Target version:

Candidate for patchlevel

Start date:

2021-09-22

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

7.4

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

Problem: SVG-Files with Style-Tag are rendered black in Firefox (or Chrome opened in seperate tab).

Related Information: https://www.sebkln.de/en/tutorials/http-security-header-part-2-csp/#svg-files

Firefox-Bug-Report: https://bugzilla.mozilla.org/show_bug.cgi?id=1262842

Workaround / Solution:
Adding this Part to .htaccess under /fileadmin (Line ~13/14)

<IfModule mod_headers.c>
    <FilesMatch "\.(svgz?)$">
        Header set Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'" 
    </FilesMatch>
</IfModule>

Feature request:
can we get an option to change the source of "resources-root-htaccess" which is used in "environment (installtool) -> fix folderstructure"?
web/typo3/sysext/install/Classes/FolderStructure/DefaultFactory.php
web/typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess

Related issues 2 (0 open — 2 closed)

Actions

Copy link

Updated by Oliver Hader over 2 years ago

Category changed from Security to Install Tool
Assignee deleted (~~Oliver Hader~~)

Actions

Copy link

Updated by Benni Mack over 2 years ago

Target version changed from 11 LTS to Candidate for patchlevel

Actions

Copy link

Updated by Oliver Hader over 2 years ago

Related to Bug #92893: SVG sprites are a breaking change, requiring CSP `default-src` to not be 'none'. Otherwise, icons are blocked in Firefox. added

Actions

Copy link