Commit 180bf9f6 authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[BUGFIX] Use less restrictive CSP for showing PDF documents

Showing PDF documents in Safari browsers is blocked due to recent
content-security-policy adjustments in `fileadmin/` directory.
This change uses a less restrictive approach for PDF documents.

Resolves: #93035
Releases: master, 10.4, 9.5
Change-Id: I58065e19c86c0054dc5f155e20d7f6a90baec20e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67081

Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Marcus Schwemer's avatarMarcus Schwemer <ms@schwemer.de>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Philipp Gampe's avatarPhilipp Gampe <philipp.gampe@typo3.org>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Wouter Wolters's avatarWouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Marcus Schwemer's avatarMarcus Schwemer <ms@schwemer.de>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 2049dac1
......@@ -3,11 +3,31 @@
# /fileadmin/ or /uploads/
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
# matching requested *.pdf files only (strict rules block Safari showing PDF documents)
<FilesMatch "\.pdf$">
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
</FilesMatch>
# matching anything else, using negative lookbehind pattern
<FilesMatch "(?<!\.pdf)$">
Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
</FilesMatch>
# // comment previous line and use the following two lines instead
# // in order to only set the header when it has not be set before
# // (known as `setifempty` in Apache v2.4.7 - v2.2 fallback below)
# Header append Content-Security-Policy ""
# Header edit Content-Security-Policy "^$" "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
# =================================================================
# Variations to send CSP header only when it has not be set before.
# Adjust all `Header set` instructions above
# Header set Content-Security-Policy "<directives>"
# with substitutes shown below
#
# -----------------------------------------------------------------
# a) for Apache 2.4 (having `setifempty`)
# -----------------------------------------------------------------
# Header setifempty Content-Security-Policy "<directives>"
#
# -----------------------------------------------------------------
# b) for Apache 2.2 (using fallbacks)
# -----------------------------------------------------------------
# Header append Content-Security-Policy ""
# Header edit Content-Security-Policy "^$" "<directives>"
#
# =================================================================
</IfModule>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment