brotkrueml / schema

TYPO3 extension providing an API and view helpers for schema.org markup
https://extensions.typo3.org/extension/schema
GNU General Public License v2.0
32 stars 9 forks source link

Content-Security-Policy (CSP) Violation #113

Open ohader opened 1 year ago

ohader commented 1 year ago

Current behavior

I received a CSP violation with a script sample like {"@context":"https://schema.org/","@grap, which refers back to the JSON-LD schema integration.

The tag is correctly embedded as <script type="application/ld+json" id="ext-schema-jsonld"> and should not cause any report at all. The used browser agent (see details below) references Chrome 86.04240.198, wich was released in November 2020.

I think that adding a nonce="..." attribute, like <script type="application/ld+json" id="ext-schema-jsonld" nonce="..."> would not hurt here. Let me know what you think, I could work on a potential patch for TYPO3 v12.

CSP Violation

{"document-uri":"https://indiemusik-festival.de/events/festival-2023","referrer":"https://indiemusik-festival.de/","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com https://instagram.com https://*.instagram.com; img-src 'self' *.ytimg.com *.vimeocdn.com data: https://instagram.com https://*.instagram.com; default-src 'self'; script-src 'self' 'nonce-qToWeo2MUDBp88EbdZ5PV-8E0vxZAb0qTfBWGYzH0fPs0cORNN0ZZw' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https://analytics.in-die-musik.de; script-src-elem 'self' 'nonce-qToWeo2MUDBp88EbdZ5PV-8E0vxZAb0qTfBWGYzH0fPs0cORNN0ZZw' https://analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https://cloud.in-die-musik.de; report-uri https://indiemusik-festival.de/@http-reporting?csp=report&requestTime=1684525087682294","disposition":"enforce","blocked-uri":"inline","line-number":1199,"column-number":39,"source-file":"about","status-code":0,"script-sample":"{\"@context\":\"https://schema.org/\",\"@grap"}

CSP Meta Data

{"addr":"40.94.102.0","agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/86.0.4240.198 Safari\/537.36"}

brotkrueml commented 1 year ago

@ohader Hmm, for me it looks like a bug in that Chrome version. I would like to wait a little bit, if this occurs more often and for which browsers. Sadly, I haven't a project by now where I use only the nonces for scripts, so I cannot re-check that myself. Was this the only violation for the json-ld in your installation?