From 96c8577e6d0dec6d0737f488e9819298eb391c40 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Tue, 16 May 2023 15:51:56 +0200
Subject: [PATCH] [BUGFIX] Inject CSP nonce values only if CSP feature is
 enabled

Currently, CSP nonce values are used per default during the frontend
rendering process (which basically would be fine). However, this also
leads to the situation, that the page is not considered to be fully
cached anymore (`INTincScript`).

With this change, CSP nonce values are only used if the corresponding
CSP feature is enabled for the frontend scope.

Resolves: #100886
Releases: main, 12.4
Change-Id: I874b16a2c3f4791bfa4b0e9eb508c97b5485f1d0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79058
Tested-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: core-ci <typo3@b13.com>
---
 typo3/sysext/frontend/Classes/Http/RequestHandler.php    | 3 ++-
 .../Classes/Middleware/ContentSecurityPolicyHeaders.php  | 9 +++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/typo3/sysext/frontend/Classes/Http/RequestHandler.php b/typo3/sysext/frontend/Classes/Http/RequestHandler.php
index 876eefec2909..aa9eae00a3ca 100644
--- a/typo3/sysext/frontend/Classes/Http/RequestHandler.php
+++ b/typo3/sysext/frontend/Classes/Http/RequestHandler.php
@@ -22,6 +22,7 @@ use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\RequestHandlerInterface;
 use TYPO3\CMS\Core\Core\Environment;
+use TYPO3\CMS\Core\Domain\ConsumableString;
 use TYPO3\CMS\Core\EventDispatcher\ListenerProvider;
 use TYPO3\CMS\Core\Http\Response;
 use TYPO3\CMS\Core\Information\Typo3Information;
@@ -140,7 +141,7 @@ class RequestHandler implements RequestHandlerInterface
             // in case the nonce value was actually consumed during the rendering process, add a
             // permanent substitution of the current value (that will be cached), with a future
             // value (that will be generated and issued in the HTTP CSP header)
-            if (count($nonce) > 0) {
+            if ($nonce instanceof ConsumableString && count($nonce) > 0) {
                 // nonce was consumed
                 $controller->config['INTincScript'][] = [
                     'target' => NonceValueSubstitution::class . '->substituteNonce',
diff --git a/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php b/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php
index 249b0ba5b13c..8299012ccf2c 100644
--- a/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php
+++ b/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php
@@ -48,12 +48,13 @@ final class ContentSecurityPolicyHeaders implements MiddlewareInterface
 
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
-        $request = $request->withAttribute('nonce', new ConsumableString($this->requestId->nonce->b64));
-        $response = $handler->handle($request);
-
+        // return early in case CSP shall not be used
         if (!$this->features->isFeatureEnabled('security.frontend.enforceContentSecurityPolicy')) {
-            return $response;
+            return $handler->handle($request);
         }
+        // make sure, the nonce value is set before processing the remaining middlewares
+        $request = $request->withAttribute('nonce', new ConsumableString($this->requestId->nonce->b64));
+        $response = $handler->handle($request);
 
         $site = $request->getAttribute('site');
         $scope = Scope::frontendSite($site);
-- 
GitLab