fix: extend Content Security Policy for Action Network to allow images

2025-06-19 08:46:19 +02:00
parent 69c8e060d6
commit 9de2800ed0
1 changed files with 33 additions and 8 deletions
--- a/packages/base/Configuration/ContentSecurityPolicies.php
+++ b/packages/base/Configuration/ContentSecurityPolicies.php
@@ -13,10 +13,40 @@ use TYPO3\CMS\Core\Security\ContentSecurityPolicy\UriValue;
 use TYPO3\CMS\Core\Type\Map;

 return Map::fromEntries([
-    // Provide declarations for the backend
-    Scope::backend(),
-    // NOTICE: When using `MutationMode::Set` existing declarations will be overridden
+    // Frontend CSP configuration for Action Network widget
+    Scope::frontend(),
+    new MutationCollection(
+        // Base security settings
+        new Mutation(
+            MutationMode::Set,
+            Directive::DefaultSrc,
+            SourceKeyword::self,
+        ),
+        // Allow scripts from Action Network
+        new Mutation(
+            MutationMode::Extend,
+            Directive::ScriptSrc,
+            SourceKeyword::self,
+            new UriValue('https://actionnetwork.org'),
+        ),
+        // Allow styles from Action Network
+        new Mutation(
+            MutationMode::Extend,
+            Directive::StyleSrc,
+            SourceKeyword::self,
+            new UriValue('https://actionnetwork.org'),
+        ),
+        // Allow images from Action Network
+        new Mutation(
+            MutationMode::Extend,
+            Directive::ImgSrc,
+            SourceKeyword::self,
+            new UriValue('https://actionnetwork.org'),
+        ),
+    ),

+    // Backend configuration
+    Scope::backend(),
    new MutationCollection(
        // Results in `default-src 'self'`
        new Mutation(
@@ -34,15 +64,10 @@ return Map::fromEntries([
            SourceScheme::data,
            new UriValue('https://*.typo3.org'),
        ),
-        // NOTICE: the following two instructions for `Directive::ImgSrc` are identical to the previous instruction,
-        // `MutationMode::Extend` is a shortcut for `MutationMode::InheritOnce` and `MutationMode::Append`
-        // new Mutation(MutationMode::InheritOnce, Directive::ImgSrc, SourceScheme::data),
-        // new Mutation(MutationMode::Append, Directive::ImgSrc, SourceScheme::data, new UriValue('https://*.typo3.org')),

        // Extends the ancestor directive ('default-src'),
        // thus reuses 'self' and adds additional sources
        // Results in `script-src 'self' 'nonce-[random]'`
-        // ('nonce-proxy' is substituted when compiling the policy)
        new Mutation(
            MutationMode::Extend,
            Directive::ScriptSrc,