1

After the upgrade to TYPO3 10 I have discovered a phenomenon. I use the extension fh_debug to generate a simple HTML file which includes a CSS file in the header. This is well shown with the CSS styled content in the browser Firefox or Opera without any problems. However there is a browser warning if it is called under a url of a TYPO3 10 website.

debug.html:10 Refused to load the stylesheet 'http://localhost/devmulti/typo3conf/ext/fh_debug/Resources/Public/Css/fhdebug.css' because it violates the following Content Security Policy directive: "style-src 'none'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

Therefore I have improved the HTML file with meta tags to set the 'style-src'.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Debug Devmulti</title>
<meta http-equiv="Content-Security-Policy" 
    content="default-src *; style-src 'self' http://localhost/devmulti/;"/>
<meta http-equiv="content-type" content="text/html;charset=utf-8"/>
<link href="http://localhost/devmulti/typo3conf/ext/fh_debug/Resources/Public/Css/fhdebug.css" rel="stylesheet" media="screen" type="text/css"/>
</head>
<body>
<p>any HTML here.</p>
</body>

The browser url is: http://localhost/devmulti/fileadmin/debug.html

If I copy the same file to the TYPO3 9 website, then it works. http://localhost/fileadmin/debug.html

If I copy the same file to a directory on the file system, then it works. file:///home/franz/Arbeit/Franz/Debug/debug.html

What must I change for TYPO3 10?

I have temorarily renamed 2 .htaccess files without any success.

devmulti/fileadmin/.htaccess and devmulti/.htaccess . I did a search these files about style-src .

[franz@localhost devmulti]$ find . -name '*.*' -type f -exec grep -i 'default-src'  {}  \;  -ls
    protected const HEADER_PATTERN = '#(?<directive>default-src|script-src|style-src|object-src)\h+(?<rule>[^;]+)(?:\s*;\s*|$)#';
        $defaultSrc = isset($this->directives['default-src'])
            ? $this->directiveMitigatesCrossSiteScripting($this->directives['default-src'])
922745      4 -rw-r--r--   1  franz    franz        2539 Feb  5 09:11 ./typo3_src-10.4.12/typo3/sysext/install/Classes/SystemEnvironment/ServerResponse/ContentSecurityPolicyHeader.php
    content="default-src *; style-src \'self\' ' . $host . ';"/>
1326610     60 -rwxrwxrwx   1  franz    franz       60236 Feb  6 17:30 ./typo3conf/ext/fh_debug/Classes/Utility/DebugFunctions.php
    content="default-src *; style-src 'self' http://localhost/devmulti/;"/>
1177376      4 -rw-rw-r--   1  franz    franz         569 Feb  9 09:16 ./fileadmin/debug-stack1.html
    content="default-src *; style-src 'self' http://localhost/devmulti/;"/>
1191268      4 -rwxrwxrwx   1  franz    franz        4054 Feb  6 18:22 ./fileadmin/debug.html
        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
        Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
1191266      4 -rw-rw-r--   1  apache   apache       1645 Feb  5 15:45 ./fileadmin/.htaccess

Modified devmulti/fileadmin/.htaccess at style-src 'self':

<IfModule mod_headers.c>
    # matching requested *.pdf files only (strict rules block Safari showing PDF documents)
    <FilesMatch "\.pdf$">
        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
    </FilesMatch>
    # matching anything else, using negative lookbehind pattern
    <FilesMatch "(?<!\.pdf)$">
        Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self'; object-src 'none';"
    </FilesMatch>
</IfModule>

This is a standalone HTML file. It does not need TYPO3 to be shown in the browser. It only includes a CSS file in the file sytem. Here is the used CSS file: https://github.com/franzholz/fh_debug/blob/master/Resources/Public/Css/fhdebug.css

1st solution: Delete the file devmulti/fileadmin/.htaccess and wait for some time. Then the HTML file works with the CSS styled content. Only this message remains. Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src").

Are there better solutions without having to delete a standard .htaccess of TYPO3?

Franz Holzinger
  • 913
  • 10
  • 20
  • Generally TYPO published CSP via `.htaccess` file therefore you can't relax it in the meta tag. Check do you have a CSP HTTP header published in TYPO3 10, tutorial is [here](https://stackoverflow.com/questions/64060894/trouble-with-content-security-policy/64068629#64068629). – granty Feb 07 '21 at 00:31
  • I get this response header: `Cache-Control max-age=0 Connection Keep-Alive Date Mon, 08 Feb 2021 19:46:05 GMT Expires Mon, 08 Feb 2021 19:46:05 GMT Keep-Alive timeout=5, max=100 Server Apache/2.4.46 (Mageia) PHP/7.3.23 ` I wonder why TYPO3 should interfere with a HTML file. And it did not help to rename the **.htaccess** files. And I cannot find a CSP inside of them. – Franz Holzinger Feb 08 '21 at 19:54
  • If you do not see CSP in the HTTP header, there is only one opt - it is published in the ` – granty Feb 08 '21 at 23:27
  • I ihave modified the HTML code of my example to be complete. You can see it here, that it should work fine. However it has these CSP errors. `Content Security Policy: The page's settings blocked the loading of a resource at http://localhost/devmulti/typo3conf/ext/fh_debug/Resources/Public/Css/fhdebug.css ("style-src").` – Franz Holzinger Feb 09 '21 at 08:23
  • I get the same CSP errors with Firefox, Opera and Chrome browser on Mageia Linux. `Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src"). fingerprint-protection.js:343:25 Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src"). ` – Franz Holzinger Feb 09 '21 at 08:24
  • I have now changed my request, because the fileadmin.htacdess has CSP settings. I do not now why a renaming of the file into orig.htaccess did not change the result. See the enhanced informations above. – Franz Holzinger Feb 09 '21 at 08:55
  • 1
    `fingerprint-protection.js:343:25` is unrelated to TYPO3 and probably some ad-blocker (modifying the markup) you've installed in your browser – Oliver Hader Feb 09 '21 at 11:36

1 Answers1

1

TYPO3 is not involved when /fileadmin/.htaccess is invoked, however TYPO3 generated that file in the Install Tool process (see https://review.typo3.org/c/Packages/TYPO3.CMS/+/67081). When files from /fileadmin/ are requested, they are only delivered by the web server (Apache in this case).

In order to allow loading stylesheet files, change directive style-src 'none' to style-src 'self' and change the <link href attribute to be on same-site, e.g. /devmulti/typo3conf/ext/fh_debug/Resources/Public/Css/fhdebug.css (without host prefix).

See https://typo3.org/security/advisory/typo3-psa-2020-003 for a full description, why enforcing CSP for /fileadmin/ was necessary.

Oliver Hader
  • 4,093
  • 1
  • 25
  • 47
  • If I change the ` – Franz Holzinger Feb 09 '21 at 20:49
  • Just use relative path `` based the web root, not the path within local filesystem. Relative links are very portable, those will work with `http://localhost/...`, `http://localhost:8080/...`, `https://example.com/...` without any modifying of HTML code. – granty Feb 10 '21 at 02:13
  • This is the problem: If I use your proposal `"/devmulti/typo3conf/ext/fh_debug/Resources/Public"` and copy the file debug.html to my local computer in a folder /home/franz/example, then I must generate the same hierarchy of subfolders at this position and also copy the file `fhdebug.css` there. So `debug.html` is not easily portable any more. – Franz Holzinger Feb 12 '21 at 07:02