[BUGFIX] Adjust Content-Security-Policy reports check for SVG files
Issue #93884 provided and adjusted CSP header for SVG inline styles: | default-src 'self'; script-src 'none'; | style-src 'unsafe-inline'; object-src 'none'; For SVG files, having 'unsafe-inline' for style-src is fine, since it only applies to the very same file and cannot include other local or remote resources. Resolves: #100041 Releases: main, 12.4, 11.5 Change-Id: I198e0a8225ef6c0e729a3ae78981581b2d2b2205 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79033 Tested-by:core-ci <typo3@b13.com> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
Showing
- typo3/sysext/install/Classes/SystemEnvironment/ServerResponse/ContentSecurityPolicyHeader.php 3 additions, 1 deletion...nvironment/ServerResponse/ContentSecurityPolicyHeader.php
- typo3/sysext/install/Classes/SystemEnvironment/ServerResponse/FileDeclaration.php 1 addition, 1 deletion...sses/SystemEnvironment/ServerResponse/FileDeclaration.php
- typo3/sysext/install/Classes/SystemEnvironment/ServerResponse/ServerResponseCheck.php 2 additions, 2 deletions.../SystemEnvironment/ServerResponse/ServerResponseCheck.php
- typo3/sysext/install/Tests/Unit/SystemEnvironment/ServerResponse/ContentSecurityPolicyHeaderTest.php 23 additions, 2 deletions...onment/ServerResponse/ContentSecurityPolicyHeaderTest.php
Please register or sign in to comment