[BUGFIX] Fix sudo mode in non-Sec-Fetch-Dest context
Since #94084 all module URLs are automatically framed by the TYPO3 main controller whenever they are opened in a Sec-Fetch-Dest aware request. (HTTPS or localhost domain) The intention of API is to allow module-links to be opened in a new tab by user intent – but due to technical limitation that feature is limited to secure contexts, and must therefore not be relied on as an API for internal redirects. sudo mode made use of this API and redirected via top.location to the privileged module, relying on the fact that iframe module-requests where detected to be loaded in the wrong context, to produce a redirect to the proper backend-frame, this didn't work for non HTTPS requests. This workaround has been done to remove "sudo-mode" from the URL bar. That workaround is no longer needed as #101287 added support for installtool URL bar synchronisation. ContentContainer API is now used to set the URL. Releases: main, 12.4 Resolves: #101288 Related: #101287 Change-Id: Id8b828662e3cd2739a93eda5f9517f896c65e941 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79921 Tested-by:Benjamin Franzke <ben@bnf.dev> Reviewed-by:
core-ci <typo3@b13.com>
Showing
- Build/Sources/TypeScript/backend/security/element/sudo-mode.ts 2 additions, 3 deletions.../Sources/TypeScript/backend/security/element/sudo-mode.ts
- typo3/sysext/backend/Classes/Controller/Security/SudoModeController.php 0 additions, 1 deletion...ackend/Classes/Controller/Security/SudoModeController.php
- typo3/sysext/backend/Resources/Public/JavaScript/security/element/sudo-mode.js 2 additions, 2 deletions...Resources/Public/JavaScript/security/element/sudo-mode.js
Please register or sign in to comment