[BUGFIX] Allow CSP inline styles in directly requested SVG files

Using CSP directive `style-src 'unsafe-inline'` seems to be fine for directly requested SVG files, since corresponding definitions are bound to the corresponding resource. Loading styles from any other external resource is still denied. Resolves: #93884 Releases: main, 11.5, 10.4 Change-Id: Ifddf8782ecaa81bf26026ae8850d8c53b7977bd7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77456 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: core-ci <typo3@b13.com> Tested-by: Oliver Hader <oliver.hader@typo3.org>

[BUGFIX] Allow CSP inline styles in directly requested SVG files
Using CSP directive `style-src 'unsafe-inline'` seems to be fine for directly requested SVG files, since corresponding definitions are bound to the corresponding resource. Loading styles from any other external resource is still denied. Resolves: #93884 Releases: main, 11.5, 10.4 Change-Id: Ifddf8782ecaa81bf26026ae8850d8c53b7977bd7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77456 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: core-ci <typo3@b13.com> Tested-by: Oliver Hader <oliver.hader@typo3.org>
a0c0e57a · Oliver Hader · Oliver Hader · 504abbed · a0c0e57a · a0c0e57a
Commit a0c0e57a authored 2 years ago by Oliver Hader Committed by Oliver Hader 2 years ago
--- a/typo3/sysext/core/Classes/Controller/FileDumpController.php
+++ b/typo3/sysext/core/Classes/Controller/FileDumpController.php
@@ -266,9 +266,13 @@ class FileDumpController
    {
        $extension = PathUtility::pathinfo($file->getName(), PATHINFO_EXTENSION);
        // same as in `typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess`
-        $policy = $extension === 'pdf' || $response->getHeaderLine('content-type') === 'application/pdf'
+        if ($extension === 'pdf' || $response->getHeaderLine('content-type') === 'application/pdf') {
-            ? "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
+            $policy = "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;";
-            : "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';";
+        } elseif ($extension === 'svg' || $response->getHeaderLine('content-type') === 'image/svg+xml') {
+            $policy = "default-src 'self'; script-src 'none'; style-src 'unsafe-inline'; object-src 'none';";
+        } else {
+            $policy = "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';";
+        }
        return $response->withAddedHeader('content-security-policy', $policy);
    }
 }
--- a/typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess
+++ b/typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess
@@ -7,8 +7,12 @@
    <FilesMatch "\.pdf$">
        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
    </FilesMatch>
+    # matching requested *.svg files only (allows using inline styles when serving SVG files)
+    <FilesMatch "\.svg">
+        Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'unsafe-inline'; object-src 'none';"
+    </FilesMatch>
    # matching anything else, using negative lookbehind pattern
-    <FilesMatch "(?<!\.pdf)$">
+    <FilesMatch "(?<!\.(?:pdf|svg))$">
        Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
    </FilesMatch>