Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: Backend not working with strong Content-Security-Policy Header #3767

Open
1 task done
Benjamin-K opened this issue Oct 20, 2023 · 1 comment
Open
1 task done

BUG: Backend not working with strong Content-Security-Policy Header #3767

Benjamin-K opened this issue Oct 20, 2023 · 1 comment
Labels
8.3 Bug Label to mark the change as bugfix Technical debt

Comments

@Benjamin-K
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

If you add a Content-Security-Policy (CSP) Header, that does not allow 'unsafe-inline' for script-src, the whole backend will not work as expected. Content in the preview iframe can not be selected nor changed. Changing the language / dimension has no effect (no reload). Navigating through the page tree works as expected.
This is because Neos uses a lot of inline scripts to handle the nodedata required for inline editing and other stoff, so blocking inline scripts will prevent most of the Neos parts from working.

Expected Behavior

Neos provides an easy way to create and retrieve a nonce for the current request. The nonce will be the same for all inline-scripts so a developer can easily add a 'nonce-<unique-value>' to the response. There is no problem in using the same nonce multiple times as long as it changes for each new request/response.

Steps To Reproduce

  1. Add a CSP header to your html response, sth like this: 
    # fusion file
prototype(Neos.Fusion:Http.ResponseHead) {
    headers {
        'Content-Security-Policy' = "default-src 'self' https://*.domain.com; style-src 'self' 'unsafe-inline' https://*.domain.com; script-src 'self' https://*.domain.com; img-src 'self' data: https://*.domain.com; font-src 'self' data: https://*.domain.com"
    }
}
  2. Login into the Neos backend and try to edit any content element or switch the language.
  3. View the developer console and see a lot of errors popping up.

Environment

- Flow: 8.3.5
- Neos: 8.3.5
- PHP:  8.2.8

Anything else?

No response
@Benjamin-K Benjamin-K added the Bug Label to mark the change as bugfix label Oct 20, 2023
@grebaldi grebaldi transferred this issue from neos/neos-development-collection Apr 18, 2024
@grebaldi
Copy link
Contributor

Hi @Benjamin-K,

thanks for reporting this. We should definitely make it possible for the UI to work in stricter CSP environments (though my guess would be that there's gonna be a limit to that somewhere due to the very presence of inter-frame communication).

I have transferred your issue over to the UI repository, because this is where it needs to be fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
8.3 Bug Label to mark the change as bugfix Technical debt
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grebaldi @Benjamin-K