Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#37859] - [4.1] mod_feed. Inline CSS style not working when using Content-Security-Policy with Nonces

No Code Attached Yet
avatar ReLater
ReLater
22 May 2022

Steps to reproduce the issue

J!4.1.3. Current Firefox.

At the end of the day it's somehow a security issue because users can't activate security settings without losing functionality here or there.

Related #37799 (Same reason. Inline scripts in Joomla core make usage of CSP with nonces pointless).

Step 1:

  • Create a FE module mod_feed.
    • Example feed: https://www.rki.de/SiteGlobals/Functions/RSSFeed/RSSGenerator_nCoV.xml
    • Set RTL Feed: Yes.
    • Position Banner of Cassiopeia.
  • See module in frontend: It's right aligned. OK. (Image 1).

Step 2:

  • In plugin System - HTTP Headers
    • Activate Content-Security-Policy (CSP).
    • Don't activate any switch.
    • Add Policy Directive: style-src: 'self' 'unsafe-inline'
    • Activate plugin
  • See module in frontend: It's right aligned. OK. (Image 1).

Step 3:

  • In plugin System - HTTP Headers
    • Activate Nonce
    • Change Policy Directive: {nonce} 'self' 'unsafe-inline'
  • See module in frontend: It's left aligned. NOT OK. (Image 2).

Reason:

Image 1

grafik

Image 2

grafik

Additional comments

Inline scripts and styles shouldn't be used in Joomla core.

avatar ReLater ReLater - open - 22 May 2022
avatar joomla-cms-bot joomla-cms-bot - change - 22 May 2022
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 22 May 2022
avatar ReLater ReLater - change - 22 May 2022
The description was changed
avatar ReLater ReLater - edited - 22 May 2022
avatar ReLater ReLater - change - 22 May 2022
The description was changed
avatar ReLater ReLater - edited - 22 May 2022
avatar ChristineWk
ChristineWk - comment - 23 May 2022

@ReLater
Confirmed. Thank you for your instructions/explanations.
unsafe-inline'" is ignored inside script-src or style-src
Content Security Policy: The site's settings have blocked loading of a resource on inline ("style-src").

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37859.
avatar ReLater
ReLater - comment - 23 May 2022

A B\C solution can be something like this: https://github.com/ReLater/joomla-cms/pull/1/files

Other solution could be to add new helper classes to core CSS files like direction-rtl and direction-ltr, but not B\C if people use other templates.

avatar ChristineWk
ChristineWk - comment - 23 May 2022

A B\C solution can be something like this: https://github.com/ReLater/joomla-cms/pull/1/files

changed https://github.com/ReLater/joomla-cms/pull/1/files accordingly and got right aligned in frontend:

<div class="text-right feed modFeedDir-169"> <h2 class=" redirect-ltr">

avatar richard67 richard67 - change - 23 May 2022
Status New Closed
Closed_Date 0000-00-00 00:00:00 2022-05-23 20:41:40
Closed_By richard67
avatar richard67 richard67 - close - 23 May 2022
avatar richard67
richard67 - comment - 23 May 2022

Closing as having a pull request. See #37873 (and also #37872 ).

avatar ReLater ReLater - change - 23 May 2022
The description was changed
avatar ReLater ReLater - edited - 23 May 2022

Add a Comment

Login with GitHub to post a comment