[BUG] JSONP in autosuggest prevents CSP #2556
Comments
|
This is still a security issue in 11.5, hopefully this can be picked up |
|
Yes, please pick this up |
@masi, @Zillion01, @emileblume |
|
Thanks for your reaction. This is a project in which I am not specialized, however I do work for companies who pay DKD for SOLR updates. How do other auto suggest options work without jquery.autocomplete. The thing is, autosuggest is an important feature, but forces insecure configuration of CSP headers which makes it in my opinion one of the most urgent needed code changes. |
|
Same here. We have municipalities as client that also pay for DKD. I think it's irresposible that this hasn't been fixed earlier. |
|
Why hasn't this been picked up? With the CSP settings in TYPO3 12 it's not possible to use the auto-suggest, our clients are complaning about this. I find it pretty strange and even annoying we still have to wait for someone who acknowledges that this is a real problem. |
This change removes the callback logic in the Suggest AJAX Call via JSONP, as JSONP is known to be used to call untrusted third-party code, and can thus be removed, as custom suggest code is done anyway via custom JS implementations. See https://en.wikipedia.org/wiki/JSONP#Security_concerns Fixes: TYPO3-Solr#2556 Ports: TYPO3-Solr#4201
|
@proudnerds-typo3 All interested parties on older EXT:solr versions:Please use composer patches from https://patch-diff.githubusercontent.com/raw/TYPO3-Solr/ext-solr/pull/4267.patch |
This change removes the callback logic in the Suggest AJAX Call via JSONP, as JSONP is known to be used to call untrusted third-party code, and can thus be removed, as custom suggest code is done anyway via custom JS implementations. See https://en.wikipedia.org/wiki/JSONP#Security_concerns Fixes: TYPO3-Solr#2556 Ports: TYPO3-Solr#4201
This change removes the callback logic in the Suggest AJAX Call via JSONP, as JSONP is known to be used to call untrusted third-party code, and can thus be removed, as custom suggest code is done anyway via custom JS implementations. See https://en.wikipedia.org/wiki/JSONP#Security_concerns Fixes: TYPO3-Solr#2556 Ports: TYPO3-Solr#4201
This change removes the callback logic in the Suggest AJAX Call via JSONP, as JSONP is known to be used to call untrusted third-party code, and can thus be removed, as custom suggest code is done anyway via custom JS implementations. See https://en.wikipedia.org/wiki/JSONP#Security_concerns Fixes: TYPO3-Solr#2556 Ports: TYPO3-Solr#4201
This change removes the callback logic in the Suggest AJAX Call via JSONP, as JSONP is known to be used to call untrusted third-party code, and can thus be removed, as custom suggest code is done anyway via custom JS implementations. See https://en.wikipedia.org/wiki/JSONP#Security_concerns Fixes: TYPO3-Solr#2556 Ports: TYPO3-Solr#4201
This change removes the callback logic in the Suggest AJAX Call via JSONP, as JSONP is known to be used to call untrusted third-party code, and can thus be removed, as custom suggest code is done anyway via custom JS implementations. See https://en.wikipedia.org/wiki/JSONP#Security_concerns Fixes: #2556 Ports: #4201
Describe the bug
I have to enable policy unsafe-eval when I want the default autosuggest client code.
The problem is that JSONP requires the use of eval() on the client side JSONP has been superceded by CORS for a very long time.
The text was updated successfully, but these errors were encountered: