Bug #106036
Updated by Patrick Broens 11 days ago
When you activate the admin-panel on a frontend page as a logged-in backend user which does not have a consumed nonce, errors will show up regarding CSP. This is due to the fact the admin panel does add script and link tags with a nonce, which is never been triggered to be consumed, so the nonce does not appear in the frontend content security policy. Only the nonce string is fetched. These HTML tags are right below the comment <!-- TYPO3 admin panel start --> in the source.
requirements:
* Frontend content security policies enabled
* Page without any nonce (when not logged in)
* Logged in backend user
* The same page opened from the backend
* Admin panel enabled
* Admin panel activated in the page (switch in lower right corner turned from red to green)
Open the console and watch the CSP errors regarding script-src and style-src directives