[BUGFIX] Use less restrictive CSP for showing PDF documents

Showing PDF documents in Safari browsers is blocked due to recent content-security-policy adjustments in `fileadmin/` directory. This change uses a less restrictive approach for PDF documents. Resolves: #93035 Releases: master, 10.4, 9.5 Change-Id: I58065e19c86c0054dc5f155e20d7f6a90baec20e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67081 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Marcus Schwemer <ms@schwemer.de> Tested-by: Benni Mack <benni@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Philipp Gampe <philipp.gampe@typo3.org> Reviewed-by: Benni Mack <benni@typo3.org> Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by: Marcus Schwemer <ms@schwemer.de> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

[BUGFIX] Use less restrictive CSP for showing PDF documents
Showing PDF documents in Safari browsers is blocked due to recent content-security-policy adjustments in `fileadmin/` directory. This change uses a less restrictive approach for PDF documents. Resolves: #93035 Releases: master, 10.4, 9.5 Change-Id: I58065e19c86c0054dc5f155e20d7f6a90baec20e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67081 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Marcus Schwemer <ms@schwemer.de> Tested-by: Benni Mack <benni@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Philipp Gampe <philipp.gampe@typo3.org> Reviewed-by: Benni Mack <benni@typo3.org> Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by: Marcus Schwemer <ms@schwemer.de> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
180bf9f6 · Oliver Hader · Oliver Hader · 2049dac1 · 180bf9f6
Commit 180bf9f6 authored 4 years ago by Oliver Hader Committed by Oliver Hader 4 years ago
--- a/typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess
+++ b/typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess
@@ -3,11 +3,31 @@
 # /fileadmin/ or /uploads/

 <IfModule mod_headers.c>
-    Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
+    # matching requested *.pdf files only (strict rules block Safari showing PDF documents)
+    <FilesMatch "\.pdf$">
+        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
+    </FilesMatch>
+    # matching anything else, using negative lookbehind pattern
+    <FilesMatch "(?<!\.pdf)$">
+        Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
+    </FilesMatch>

-    # // comment previous line and use the following two lines instead
-    # // in order to only set the header when it has not be set before
-    # // (known as `setifempty` in Apache v2.4.7 - v2.2 fallback below)
-    # Header append Content-Security-Policy ""
-    # Header edit Content-Security-Policy "^$" "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
+    # =================================================================
+    # Variations to send CSP header only when it has not be set before.
+    # Adjust all `Header set` instructions above
+    #     Header set Content-Security-Policy "<directives>"
+    # with substitutes shown below
+    #
+    # -----------------------------------------------------------------
+    # a) for Apache 2.4 (having `setifempty`)
+    # -----------------------------------------------------------------
+    #     Header setifempty Content-Security-Policy "<directives>"
+    #
+    # -----------------------------------------------------------------
+    # b) for Apache 2.2 (using fallbacks)
+    # -----------------------------------------------------------------
+    #     Header append Content-Security-Policy ""
+    #     Header edit Content-Security-Policy "^$" "<directives>"
+    #
+    # =================================================================
 </IfModule>