Actions
Task #100906
open
Epic #87417: Integrate proper Content Security Policy (CSP) handling
Feature #99499: Introduce Content Security Policy handling
Handle CSP violations in browser extensions
Status:
New
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2023-05-20
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Sprint Focus:
Description
General¶
- https://csper.io/blog/csp-report-filtering
- https://dropbox.tech/security/on-csp-reporting-and-filtering
- https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf
- https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20
- https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59
Payloads¶
{"blocked-uri":"inline","column-number":9,"disposition":"enforce","document-uri":"https:\/\/indiemusik-festival.de\/events\/festival-2023","effective-directive":"script-src-elem","line-number":33,"original-policy":"frame-src 'self' https:\/\/*.youtube-nocookie.com https:\/\/*.youtube.com https:\/\/*.vimeo.com https:\/\/instagram.com https:\/\/*.instagram.com; img-src 'self' https:\/\/*.ytimg.com https:\/\/*.vimeocdn.com data: https:\/\/instagram.com https:\/\/*.instagram.com; default-src 'self'; script-src 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https:\/\/analytics.in-die-musik.de; script-src-elem 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' https:\/\/analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https:\/\/cloud.in-die-musik.de; report-uri https:\/\/indiemusik-festival.de\/@http-reporting?csp=report&requestTime=1684526938506325","referrer":"","script-sample":"(function (NAVIGATOR, OBJECT) {\n\n if \u2026","source-file":"moz-extension","status-code":200,"violated-directive":"script-src-elem"}
→ "source-file":"moz-extension"
→ payload (function (NAVIGATOR, OBJECT) { if
→ trigger https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23
...
Updated by Oliver Hader 11 months ago
- Tracker changed from Feature to Task
- TYPO3 Version set to 12
Updated by Oliver Hader 8 months ago
- Related to Bug #101887: Javascript error for each module visited on the backend added
Actions