CSP: enforceContentSecurityPolicy false :CSP error in frontend

cryadm · February 29, 2024, 1:29pm

Hi, working on typo3 v12.4.11, CSP error in frontend "Settings of Page blocked loading of external Javascript-Source.

Doesn’t work

by default enforceContentSecurityPolicy = false.
Checked multiple browsers, error the same
htaccess has no CSP Restrictions
tested with enforceContentSecurityPolicy = true
Script is loaded via Viewhelper using Assetcontroller → addJavascript
added useNonce as option
added Configurarion/ContentSecurityPolicy.php

Source: Content security policy — TYPO3 Explained 12.4 documentation

Works

Adding page.config.additionalHeaders.10.header with CSP script-src and removing Configurarion/ContentSecurityPolicy.php

Tested downgrade because of Bug #102438: CSP-Errors after update to 12.4.8 - TYPO3 Core - TYPO3 Forge

Question:

Why does the CSP error can occurs, if enforceContentSecurityPolicy =false
Why does Typoscript additional Header works. Not in documentation. Project ingtegrations the “mutations” shall be used
Any ideas?

patrick · March 4, 2024, 11:17am

That is weird and should not happen. You’re sure you turned the frontend setting to false and not the backend?

patrick · March 4, 2024, 11:21am

It is allowed to have multiple Content-Security-Policy headers, although I would not recommend it, because this can result in unwanted effects. For instance:

add_header Content-Security-Policy "default-src 'self'";
add_header Content-Security-Policy "connect-src 'self' https://api.example.com";

default-src is restrictive and connect-src allows wider permissions, so only default-src is used.

With additionalHeaders it was always possible to add the Content-Security-Policy header.

cryadm · March 4, 2024, 11:48am

Yes, i’m sure.
Use security.frontend.enforceContentSecurityPolicy.