Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content-Security-Policy (CSP) Violation #113

Open
ohader opened this issue May 20, 2023 · 1 comment
Open

Content-Security-Policy (CSP) Violation #113

ohader opened this issue May 20, 2023 · 1 comment

Comments

@ohader
Copy link

ohader commented May 20, 2023
edited
Loading

Current behavior

I received a CSP violation with a script sample like {"@context":"https://schema.org/","@grap, which refers back to the JSON-LD schema integration.

The tag is correctly embedded as <script type="application/ld+json" id="ext-schema-jsonld"> and should not cause any report at all. The used browser agent (see details below) references Chrome 86.04240.198, wich was released in November 2020.

I think that adding a nonce="..." attribute, like <script type="application/ld+json" id="ext-schema-jsonld" nonce="..."> would not hurt here. Let me know what you think, I could work on a potential patch for TYPO3 v12.

CSP Violation

{"document-uri":"https://indiemusik-festival.de/events/festival-2023","referrer":"https://indiemusik-festival.de/","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com https://instagram.com https://*.instagram.com; img-src 'self' *.ytimg.com *.vimeocdn.com data: https://instagram.com https://*.instagram.com; default-src 'self'; script-src 'self' 'nonce-qToWeo2MUDBp88EbdZ5PV-8E0vxZAb0qTfBWGYzH0fPs0cORNN0ZZw' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https://analytics.in-die-musik.de; script-src-elem 'self' 'nonce-qToWeo2MUDBp88EbdZ5PV-8E0vxZAb0qTfBWGYzH0fPs0cORNN0ZZw' https://analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https://cloud.in-die-musik.de; report-uri https://indiemusik-festival.de/@http-reporting?csp=report&requestTime=1684525087682294","disposition":"enforce","blocked-uri":"inline","line-number":1199,"column-number":39,"source-file":"about","status-code":0,"script-sample":"{\"@context\":\"https://schema.org/\",\"@grap"}

CSP Meta Data

{"addr":"40.94.102.0","agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/86.0.4240.198 Safari\/537.36"}
@brotkrueml
Copy link
Owner

@ohader Hmm, for me it looks like a bug in that Chrome version. I would like to wait a little bit, if this occurs more often and for which browsers. Sadly, I haven't a project by now where I use only the nonces for scripts, so I cannot re-check that myself. Was this the only violation for the json-ld in your installation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ohader @brotkrueml