Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🛠️ [TASK] Handle Content-Security-Policy headers of TYPO3 v12 #401

Merged
merged 3 commits into from
Nov 15, 2023
Merged

🛠️ [TASK] Handle Content-Security-Policy headers of TYPO3 v12 #401

merged 3 commits into from
Nov 15, 2023

Conversation

ohader
Copy link
Contributor

@ohader ohader commented Nov 5, 2023
edited
Loading

Short description

Fully cacheable responses must avoid using Content-Security-Policy nonce values in HTTP headers and the generated HTML markup. This change adjusts the TYPO3 PolicyBehavior to aim for cacheable responses and therefore to use static hash values instead of dynamic nonce values.

Related Issues

More Details

  • the configuration properties validHtaccessHeaders and validFallbackHeaders were extended by Content-Security-Policy (this has to be adjusted manually in the filesystem/settings.php of the corresponding TYPO3 instance)
  • the Apache .htaccess generator was adjusted to update the reporting URI that might potentially being used the Content-Security-Policy HTTP header, e.g. the corresponding section in the generated .htaccess file would look like this
<IfModule mod_headers.c>
	Header set Content-Type "text/html; charset=utf-8"
	Header set Content-Language "en-US"
	Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; img-src 'self' data: *.ytimg.com *.vimeocdn.com; base-uri 'self'; frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com; style-src-elem 'self' 'sha256-2jHA7HeLLRBxTLZh3hq5WwCT4sUgYEBWVrYarn//8dA=' 'sha256-6kBl4fibHaZ3yHgzIfBZGSMc9aQsl6Qz024e1PHYzwg=' 'sha256-hsci338HivFL5/1oLdltJy0V2cnmBXK6hq9S1RmxBOI=' 'report-sample'; script-src-elem 'self' 'sha256-jFj1HeJo8v0RAIOenIw0qtV3yom5jiHWB/v7fHZSRC4=' 'sha256-MJesaYFpH4OSpy12iDLxyeIfcVYNXN8OrlRaWAY/HG8=' 'report-sample'; report-uri https://ip13.anyhost.it/@http-reporting?csp=report&requestTime=1699187708212996"
	Header edit Content-Security-Policy (@http-reporting\?csp=report&requestTime=)\d+ $1@t&%t
	Header edit Content-Security-Policy (@http-reporting\?csp=report&requestTime=)@t&t=(\d+) $1$2
	Header set X-SFC-Tags "pageId_1"
</IfModule>

@ohader
[TASK] Use TYPO3 v12 backend module template
086f90c 
Avoids calling removed `ModuleTemplate` methods and uses the template directly.

see https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/12.0/Feature-96730-SimplifiedExtbackendModuleTemplateAPI.html

Core: 12.4
@ohader
[TASK] Avoid using ExtensionUtility::registerModule in TYPO3 v12
3012127 
`ExtensionUtility::registerModule` is depracated and without functionality in TYPO3 v12 and was removed for TYPO3 v13.

Core: 12.4
@ohader
[TASK] Handle Content-Security-Policy headers of TYPO3 v12
7f6c18f 
`Content-Security-Policy` HTTP headers need to be statically cached as well. Adjustments the Apache `.htaccess` generator ensure, that the CSP reporting endpoint is updated for each request.

Besides that, the `preferCacheableResponse` CSP behavior is enforced to avoid using nonce values and to prefer hash values instead.

This TYPO3 v12.4 change is required to properly handling hash values automatically for assets:
https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Core: 12.4
Related: lochmueller#389
@ohader ohader marked this pull request as draft November 5, 2023 12:34
@ohader
Copy link
Contributor Author

ohader commented Nov 5, 2023
edited
Loading

This change contains some commits that are relevant for TYPO3 v12 only, and are unrelated to CSP. I'm not sure whether there shall be a dedicated TYPO3 v12 version of ext:staticfilecache. For instance commit 086f90c would only not work with TYPO3 v11.

Side-note: I was testing with TYPO3 v13-dev, that's why these changes were required. When just focussing on TYPO3 v12, there are not really a hard requirement. That being said, it probably would have been better to keep them in a separated pull request.

@lochmueller
Copy link
Owner

Hey @ohader
looks good for me. The extension is pretty stable, and I think we could change the master to v12 & v13-dev.
Could you adapt the composer.json requirements as well? Then we can merge the changes (even if the related core changes are no merged yet). Or do you suggest to wait for the core changes?!
Regards,
Tim

@ohader
Copy link
Contributor Author

ohader commented Nov 13, 2023

Sounds good. I'll continue here during the next few days. I don't see hard dependencies to those core settings.

@lochmueller lochmueller marked this pull request as ready for review November 15, 2023 21:04
@lochmueller
Copy link
Owner

Hey @ohader I will merge the changes and switch ore versions in the meta files in a few minutes...

@lochmueller lochmueller merged commit 7bf0ed5 into lochmueller:master Nov 15, 2023
2 of 5 checks passed
@lochmueller
Copy link
Owner

db8a6d8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ohader @lochmueller