[BUGFIX] Grant inline scripts & styles via CSP in admin panel output
The admin panel uses Symfony's `HtmlDumper` to output data - which is adding inline JavaScript and StyleSheet elements. To be compatible with CSP those elements need to be allowed with a nonce attribute. This change relies on a merged pull request for Symfony v6.3: https://github.com/symfony/symfony/pull/49977 Executed commands: composer req symfony/var-dumper:^6.3 composer req symfony/var-dumper:^6.3 \ -d typo3/sysext/adminpanel --no-update Resolves: #100456 Releases: main, 12.4 Change-Id: I7fcea196107959db85257c7d735f85a9e78839d2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79204 Tested-by:core-ci <typo3@b13.com> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- composer.json 1 addition, 1 deletioncomposer.json
- composer.lock 7 additions, 13 deletionscomposer.lock
- typo3/sysext/adminpanel/Classes/Modules/Debug/Events.php 7 additions, 1 deletiontypo3/sysext/adminpanel/Classes/Modules/Debug/Events.php
- typo3/sysext/adminpanel/Classes/Utility/HtmlDumper.php 60 additions, 0 deletionstypo3/sysext/adminpanel/Classes/Utility/HtmlDumper.php
- typo3/sysext/adminpanel/Configuration/ContentSecurityPolicies.php 28 additions, 0 deletions...sext/adminpanel/Configuration/ContentSecurityPolicies.php
- typo3/sysext/adminpanel/Configuration/Services.yaml 2 additions, 0 deletionstypo3/sysext/adminpanel/Configuration/Services.yaml
- typo3/sysext/adminpanel/composer.json 1 addition, 1 deletiontypo3/sysext/adminpanel/composer.json
- typo3/sysext/frontend/Classes/Html/HtmlWorker.php 20 additions, 0 deletionstypo3/sysext/frontend/Classes/Html/HtmlWorker.php
Please register or sign in to comment