[BUGFIX] Do not render nonceProxy if nonce has not been consumed
Allow proxies to cache the TYPO3 content by stripping the nonce from the generated CSP header if the nonce was not actually consumed. Also ensure that the nonce value substitution consumes a nonce to ensure that a (replaced) nonces in cached-content receive a matching CSP header as well. Resolves: #103942 Releases: main, 12.4 Change-Id: I437c83de522ff4a6f4ee0ef2f13881d24bfb990c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84435 Tested-by:Benjamin Franzke <ben@bnf.dev> Tested-by:
core-ci <typo3@b13.com> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
Kai Ole Hartwig <o.hartwig@moselwal.de> Tested-by:
Willi Wehmeier <wwwehmeier@gmail.com> Reviewed-by:
Showing
- typo3/sysext/core/Classes/Security/ContentSecurityPolicy/ModelService.php 2 additions, 2 deletions...e/Classes/Security/ContentSecurityPolicy/ModelService.php
- typo3/sysext/core/Tests/Functional/Security/ContentSecurityPolicy/PolicyTest.php 10 additions, 0 deletions.../Functional/Security/ContentSecurityPolicy/PolicyTest.php
- typo3/sysext/frontend/Classes/Cache/NonceValueSubstitution.php 3 additions, 3 deletions.../sysext/frontend/Classes/Cache/NonceValueSubstitution.php
Please register or sign in to comment