Closed anselmh closed 2 years ago
anselmh
commented
2 years ago Additionally, there’s also a base64-data-image used as placeholder in the panel which causes a CSP report/error unless you set image-src: data: which is nearly as unsafe as unsafe-inline for scripts. Should I create a different ticket for this?
bastianallgeier
commented
2 years ago You can solve this by using our nonce for the CSP header. But you need to move setting the header to your config instead of the htaccess.
<?php
return [
'ready' => function ($kirby) {
header("Content-Security-Policy: script-src 'nonce-" . $kirby->nonce() . "'");
}
];The first script block will still throw an error and I will fix that in 3.6.1
bastianallgeier
commented
2 years ago ✅
Describe the bug
I think I just found an issue some days after upgrading one of the Kirby sites to 3.6. The site uses a Content-Security-Policy (CSP) defined in Apache via
.htaccessfile and it forbidsunsafe-inlinefor obvious reasons.It worked fine until the user session expired in Panel, then the client realised that the login view doesn’t render anymore. I debugged it a bit and found the following errors logged to the console:
I reached the source and found some scripts (one, ) not using a hash/nonce but am not entirely sure which one causes the issues. I currently made my CSP unsafe by allowing the
unsafe-inlinescripts but this can only be a temporary solution.To Reproduce
Steps to reproduce the behavior:
Expected behavior
Login view renders without CSP issues and without using
unsafe-inlinescripts.Kirby Version
3.6.0
Additional information I also tried to only set
unsafe-hashesinstead ofunsafe-inlinebut it doesn’t work so I assume either a hash/nonce doesn’t work correctly or there is some script relying on a real unsafe inline script causing this error.