typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php · 96c8577e6d0dec6d0737f488e9819298eb391c40 · TYPO3 / TYPO3.CMS

[BUGFIX] Inject CSP nonce values only if CSP feature is enabled · 96c8577e

Oliver Hader authored 1 year ago

Currently, CSP nonce values are used per default during the frontend
rendering process (which basically would be fine). However, this also
leads to the situation, that the page is not considered to be fully
cached anymore (`INTincScript`).

With this change, CSP nonce values are only used if the corresponding
CSP feature is enabled for the frontend scope.

Resolves: #100886
Releases: main, 12.4
Change-Id: I874b16a2c3f4791bfa4b0e9eb508c97b5485f1d0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79058


Tested-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: core-ci <typo3@b13.com>

96c8577e

ContentSecurityPolicyHeaders.php 2.96 KiB