Release Notes / Version 12.2412.0
Table Of Contents
The Content Security Rules for Studio Client have been hardened to
prevent attackers from uploading JavaScript code into CMS Content and
exploit possible XSS vulnerabilities to execute that code in the
context of another Studio user. If you have added any custom scripts
to Studio Client which are not deployed under the
paths /packages/
or /resources/
,
they will now be blocked by the stricter CSP rules, which is reported
in the browser console.
To fix this, you need to allow-list those scripts in
apps/studio-client/apps/main/base-app/sencha/resources/config-init.js
by adding their paths to the allow-list
[..., "resources/", "packages/"]
.
(CMS-22221)