Use files instead of data: resources to avoid breaking CSP (see #6927)

Description ----------- <del>Because Swiper uses `src: url('data:application/font-woff…')` in their style sheet.</del> I have repackaged Swiper in contao-components/swiper@a9f07d8. Commits ------- 1199663 Add the missing `csp_source()` in the swiper.html.twig template daccd64 Add the missing `csp_none()` as well c3fc558 Add `csp_none()` to the style sheet component 88a0395 Revert the changes to the style sheet component 2767e40 Replace the preview toolbar data:image with an icon 4027a1a Use asset() to add the icon
contao · Feb 23, 2024 · e44b87f · e44b87f
1 parent c25426d
commit e44b87f
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 3 deletions.
diff --git a/core-bundle/contao/templates/twig/content_element/accordion.html.twig b/core-bundle/contao/templates/twig/content_element/accordion.html.twig
@@ -25,7 +25,7 @@
 {% block script %}
     {% add "handorgel_js" to body %}
         <script src="{{ asset('js/handorgel.min.js', 'contao-components/handorgel') }}"></script>
-        <script>
+        <script{{ attrs(script_attributes|default).setIfExists('nonce', csp_nonce('script-src')) }}>
             (function () {
                 document.querySelectorAll('.content-accordion').forEach(el => {
                     new handorgel(el, {

diff --git a/core-bundle/contao/templates/twig/content_element/swiper.html.twig b/core-bundle/contao/templates/twig/content_element/swiper.html.twig
@@ -35,7 +35,7 @@
 {% block script %}
     {% add "swiper_js" to body %}
         <script src="{{ asset('js/swiper-bundle.min.js', 'contao-components/swiper') }}"></script>
-        <script>
+        <script{{ attrs(script_attributes|default).setIfExists('nonce', csp_nonce('script-src')) }}>
             (function() {
                 const swiper = document.querySelectorAll('.swiper');
                 swiper.forEach (el => {

diff --git a/core-bundle/contao/themes/flexible/icons/down.svg b/core-bundle/contao/themes/flexible/icons/down.svg
diff --git a/core-bundle/templates/Frontend/preview_toolbar_base_js.html.twig b/core-bundle/templates/Frontend/preview_toolbar_base_js.html.twig
@@ -143,7 +143,7 @@
         border: 1px solid #aaa;
         padding: 4px 22px 5px 6px;
         border-radius: 2px;
-        background: #fff url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMiIgaGVpZ2h0PSIxMiIgdmlld0JveD0iMCAwIDUwMCA1MDAiPjxsaW5lYXJHcmFkaWVudCBpZD0iYSIgZ3JhZGllbnRVbml0cz0idXNlclNwYWNlT25Vc2UiIHgxPSIxMzEuNTIzIiB5MT0iNDIuNjMiIHgyPSIzNjguNDc4IiB5Mj0iMjc5LjU4NCI+PHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjYjNiM2IzIi8+PHN0b3Agb2Zmc2V0PSIxIiBzdG9wLWNvbG9yPSIjOTk5Ii8+PC9saW5lYXJHcmFkaWVudD48cGF0aCBmaWxsPSJ1cmwoI2EpIiBkPSJNMjUwIDM5Ni42NjZjLTEuMTU1IDAtNC4xMS0xLjgzMi03LjExMy02Ljc1bC0xNjkuNi0yNzcuNDU1Yy0yLjUxNy00LjExNC0zLjE5LTYuOTgtMy4yOC04LjMxNC44MjctLjMzIDIuNTY1LS44MTIgNS42MjctLjgxMmgzNDguNzMzYzMuMDYzIDAgNC43OTguNDgyIDUuNjI3LjgxMi0uMDkgMS4zMzQtLjc2NiA0LjItMy4yOCA4LjMxNWwtMTY5LjYgMjc3LjQ1N2MtMy4wMDUgNC45MTctNS45NiA2Ljc1LTcuMTE0IDYuNzV6Ii8+PC9zdmc+) right -16px center no-repeat;
+        background: #fff url({{ asset('system/themes/flexible/icons/down.svg') }}) right -16px center no-repeat;
         background-origin: content-box;
         cursor: pointer;
         text-transform: none;