Reputation: 998
How to set the Security Policy directive style-src in a file for TYPO3 10
After the upgrade to TYPO3 10 I have discovered a phenomenon. I use the extension fh_debug to generate a simple HTML file which includes a CSS file in the header. This is well shown with the CSS styled content in the browser Firefox or Opera without any problems. However there is a browser warning if it is called under a url of a TYPO3 10 website.
debug.html:10 Refused to load the stylesheet 'http://localhost/devmulti/typo3conf/ext/fh_debug/Resources/Public/Css/fhdebug.css' because it violates the following Content Security Policy directive: "style-src 'none'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
Therefore I have improved the HTML file with meta tags to set the 'style-src'.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Debug Devmulti</title>
<meta http-equiv="Content-Security-Policy"
content="default-src *; style-src 'self' http://localhost/devmulti/;"/>
<meta http-equiv="content-type" content="text/html;charset=utf-8"/>
<link href="http://localhost/devmulti/typo3conf/ext/fh_debug/Resources/Public/Css/fhdebug.css" rel="stylesheet" media="screen" type="text/css"/>
</head>
<body>
<p>any HTML here.</p>
</body>
The browser url is:
http://localhost/devmulti/fileadmin/debug.html
If I copy the same file to the TYPO3 9 website, then it works.
http://localhost/fileadmin/debug.html
If I copy the same file to a directory on the file system, then it works.
file:///home/franz/Arbeit/Franz/Debug/debug.html
What must I change for TYPO3 10?
I have temorarily renamed 2 .htaccess files without any success.
devmulti/fileadmin/.htaccess and devmulti/.htaccess . I did a search these files about style-src .
[franz@localhost devmulti]$ find . -name '*.*' -type f -exec grep -i 'default-src' {} \; -ls
protected const HEADER_PATTERN = '#(?<directive>default-src|script-src|style-src|object-src)\h+(?<rule>[^;]+)(?:\s*;\s*|$)#';
$defaultSrc = isset($this->directives['default-src'])
? $this->directiveMitigatesCrossSiteScripting($this->directives['default-src'])
922745 4 -rw-r--r-- 1 franz franz 2539 Feb 5 09:11 ./typo3_src-10.4.12/typo3/sysext/install/Classes/SystemEnvironment/ServerResponse/ContentSecurityPolicyHeader.php
content="default-src *; style-src \'self\' ' . $host . ';"/>
1326610 60 -rwxrwxrwx 1 franz franz 60236 Feb 6 17:30 ./typo3conf/ext/fh_debug/Classes/Utility/DebugFunctions.php
content="default-src *; style-src 'self' http://localhost/devmulti/;"/>
1177376 4 -rw-rw-r-- 1 franz franz 569 Feb 9 09:16 ./fileadmin/debug-stack1.html
content="default-src *; style-src 'self' http://localhost/devmulti/;"/>
1191268 4 -rwxrwxrwx 1 franz franz 4054 Feb 6 18:22 ./fileadmin/debug.html
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
1191266 4 -rw-rw-r-- 1 apache apache 1645 Feb 5 15:45 ./fileadmin/.htaccess
Modified devmulti/fileadmin/.htaccess at style-src 'self':
<IfModule mod_headers.c>
# matching requested *.pdf files only (strict rules block Safari showing PDF documents)
<FilesMatch "\.pdf$">
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
</FilesMatch>
# matching anything else, using negative lookbehind pattern
<FilesMatch "(?<!\.pdf)$">
Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self'; object-src 'none';"
</FilesMatch>
</IfModule>
This is a standalone HTML file. It does not need TYPO3 to be shown in the browser. It only includes a CSS file in the file sytem. Here is the used CSS file: https://github.com/franzholz/fh_debug/blob/master/Resources/Public/Css/fhdebug.css
1st solution:
Delete the file devmulti/fileadmin/.htaccess and wait for some time. Then the HTML file works with the CSS styled content. Only this message remains.
Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src").
Are there better solutions without having to delete a standard .htaccess of TYPO3?
Upvotes: 1
Views: 5656
Answers (1)
Reputation: 4200
TYPO3 is not involved when /fileadmin/.htaccess is invoked, however TYPO3 generated that file in the Install Tool process (see https://review.typo3.org/c/Packages/TYPO3.CMS/+/67081). When files from /fileadmin/ are requested, they are only delivered by the web server (Apache in this case).
In order to allow loading stylesheet files, change directive style-src 'none' to style-src 'self' and change the <link href attribute to be on same-site, e.g. /devmulti/typo3conf/ext/fh_debug/Resources/Public/Css/fhdebug.css (without host prefix).
See https://typo3.org/security/advisory/typo3-psa-2020-003 for a full description, why enforcing CSP for /fileadmin/ was necessary.
Upvotes: 1
Related Questions
- How can I declare a file for inline css in typoscript?
- What is the best way to change the CSS of a content element in Typo3?
- Adding own CSS to TYPO3 backend [v9]
- How to add CSS to a TYPO9.5 Extension?
- Including CSS File in TYPO3 Backend?
- How to include a custom CSS file in TYPO3
- TYPO3 special CSS file for IE
- typo3 add custom css to bootstrap package
- TYPO3 adding style class to UL backend in TEXT content view
- typo3 css_styled content edit source