While playing around with CSP directives in TYPO3 12.4.13 I stumbled upon a bit of a weird issue. To run inline scripts I have defined a nonce value for my script-src directive using the TYPO3 extension specific approach. In my fluid template I use the f:security.nonce() viewhelper to generate to correct nonce value. However, in some cases the viewhelper doesn't generate a nonce value.
Here are some examples of those cases. Note that the extra f:secity.nonce() viewhelper is just for testing purposes.
In this case the viewhelper correctly works:
{f:security.nonce()} <!-- Outputs hash 0NnkfpY8... -->
<script nonce="{f:security.nonce()}">
let map;
async function initMap() {
// Map
map = new Map(document.getElementById("map"), {});
}
initMap();
</script>
But when adding something like zoom: 14, to the Map object, the viewhelper doesn't generate anything:
{f:security.nonce()} <!-- Outputs {f:security.nonce()} -->
<script nonce="{f:security.nonce()}">
let map;
async function initMap() {
// Map
map = new Map(document.getElementById("map"), {
zoom: 14,
});
}
initMap();
</script>
Here's another example:
Like this the viewhelper works:
{f:security.nonce()} <!-- Outputs hash 0NnkfpY8... -->
<script nonce="{f:security.nonce()}">
let map;
async function initMap() {
// Set map constants
const centerPosition = { lat: xxx, lng: xxx },
mapStyle = "xxxxxx";
const markerPosition = centerPosition;
}
initMap();
</script>
But like this it doesn't:
{f:security.nonce()} <!-- Outputs {f:security.nonce()} -->
<script nonce="{f:security.nonce()}">
let map;
async function initMap() {
// Set map constants
const centerPosition = { lat: xxx, lng: xxx },
mapStyle = "xxxxxx",
markerPosition = centerPosition;
}
initMap();
</script>