CSP error when trying to add filter option
Closed this issue · 8 comments
TYPO3 version: 12.4.14
Ke_search version: 5.5.0
In #194 it was stated that this issue does no longer appear, but with the versions mentioned above I could replicate the issue.
The problem lies with the FilterOptionTagValidator->returnFieldJs() method, which returns inline JavaScript code as a plain string. That code is eval'd on client, triggering the CSP.
Additionally, since TYPO3 v12.4 returning a plain string in returnFieldJs() is deprecated in favor of returning a JavaScriptModuleInstruction instance.
Chrome 126
Firefox 128
TYPO3 12.4.14
ke_search 5.5.0
Unfortunately I'm still not able to reproduce this issue.
What browser do you use? Do you know if some settings need to be enabled in the browser?
Ironically FilterOptionTagValidator->returnFieldJs() doesn't add any logic so it can most likely just be removed:
I tested on ddev using nginx
@christianbltr I think i forgot to mention it only happens when clicking on the Create new button under "Filter options" when editing a filter.
What browser do you use? Do you know if some settings need to be enabled in the browser?
I'm using latest Firefox (v128.0). I don't have any special settings enabled.
I have the same problem with TYPO3 12.4.15 and ke_search 5.5.0 with all browsers (Chrome, Firefoxe, Edge)
Same problem on TYPO4 12.4.22 and ke_search 6.0.0
Getting Error
Error Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' ' [...]".
when Edit Filters "MyFilter" on page "Search data" trying to create new FIlter options inside the filter record
what should be added to the Content Security Policy directive
Could you test version 6.1.0?
This version removes the obsolete returnFieldJs() function.
with version 6.1.0 it works
thank you
Thanks for reporting!