From 3becdd976df658af08e703d17efa779157758084 Mon Sep 17 00:00:00 2001
From: Sascha Lenk <99041549+sascha988@users.noreply.github.com>
Date: Sat, 25 Feb 2023 23:56:59 +0100
Subject: [PATCH] vulnerability Path-relative stylesheet import (PRSSI) fix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Threat
Relative URLs can be dangerous since browser may not determine the correct directory. If the HTML uses path-relative CSS links, it may be susceptible to pathrelative
stylesheet import (PRSSI) vulnerabilities. This could allow an attacker to take advantage of CSS imports with relative URLs by overwriting their target file.

Impact
An attacker may trick browsers into importing JavaScript or HTML code as a stylesheet. This has been shown to enable a number of different attacks, including
cross-site scripting (XSS) and exfiltration of CSRF tokens.

Solution
It is recommended to use absolute URLs for CSS imports. Alternately you can add the HTML "base" tag in the document which defines the base URL or target
location for all the relative URLs.
The vulnerability can also be mitigated by using the following best practices to harden the web pages:
• Set a DOCTYPE which does not allow Quirks mode as explained at https://hsivonen.fi/doctype/
• Set response header X-Frame-Options: deny
• Set response header X-Content-Type-Options: nosniff.

-----------
To me the easiest way to fix this, was adding the base URL. :)
---
 templates/base.html.twig | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/templates/base.html.twig b/templates/base.html.twig
index 7914a9a7..5a01b8d2 100644
--- a/templates/base.html.twig
+++ b/templates/base.html.twig
@@ -3,6 +3,8 @@
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    
+    <base href="{{ app.request.getSchemeAndHttpHost() }}">
 
     <link rel="manifest" href="{{ asset('manifest.json') }}">