[BUGFIX] Inject CSP nonce values only if CSP feature is enabled

Currently, CSP nonce values are used per default during the frontend rendering process (which basically would be fine). However, this also leads to the situation, that the page is not considered to be fully cached anymore (`INTincScript`). With this change, CSP nonce values are only used if the corresponding CSP feature is enabled for the frontend scope. Resolves: #100886 Releases: main, 12.4 Change-Id: I874b16a2c3f4791bfa4b0e9eb508c97b5485f1d0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79073 Tested-by: core-ci <typo3@b13.com> Tested-by: Georg Ringer <georg.ringer@gmail.com> Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
TYPO3 · May 17, 2023 · bd4980f · bd4980f
1 parent 745aae4
commit bd4980f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/typo3/sysext/frontend/Classes/Http/RequestHandler.php b/typo3/sysext/frontend/Classes/Http/RequestHandler.php
@@ -22,6 +22,7 @@
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\RequestHandlerInterface;
 use TYPO3\CMS\Core\Core\Environment;
+use TYPO3\CMS\Core\Domain\ConsumableString;
 use TYPO3\CMS\Core\EventDispatcher\ListenerProvider;
 use TYPO3\CMS\Core\Http\Response;
 use TYPO3\CMS\Core\Information\Typo3Information;
@@ -140,7 +141,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
             // in case the nonce value was actually consumed during the rendering process, add a
             // permanent substitution of the current value (that will be cached), with a future
             // value (that will be generated and issued in the HTTP CSP header)
-            if (count($nonce) > 0) {
+            if ($nonce instanceof ConsumableString && count($nonce) > 0) {
                 // nonce was consumed
                 $controller->config['INTincScript'][] = [
                     'target' => NonceValueSubstitution::class . '->substituteNonce',

diff --git a/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php b/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php
@@ -48,12 +48,13 @@ public function __construct(
 
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
-        $request = $request->withAttribute('nonce', new ConsumableString($this->requestId->nonce->b64));
-        $response = $handler->handle($request);
-
+        // return early in case CSP shall not be used
         if (!$this->features->isFeatureEnabled('security.frontend.enforceContentSecurityPolicy')) {
-            return $response;
+            return $handler->handle($request);
         }
+        // make sure, the nonce value is set before processing the remaining middlewares
+        $request = $request->withAttribute('nonce', new ConsumableString($this->requestId->nonce->b64));
+        $response = $handler->handle($request);
 
         $site = $request->getAttribute('site');
         $scope = Scope::frontendSite($site);