Feature #101580
openAdd feature flag to enable CSP ReportOnly mode
0%
Description
Since version 13 the backend CSP is enabled by default. The feature flag that is introduced in version 12 is now always active.
It would be great to have the possibility to put the frontend in report only mode to collect data before rolling out the CSP.
To archive this I would introduce another feature flag `security.frontend.contentSecurityPolicyReportOnly`.
Updated by Gerrit Code Review 9 months ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397
Updated by Gerrit Code Review 9 months ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397
Updated by Gerrit Code Review 9 months ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397
Updated by Gerrit Code Review 4 months ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397
Updated by Johannes Schlier 12 days ago ยท Edited
Having a Report-Only option is a good step in the right direction, but I don't think a feature flag that simply changes the header to Report-Only is the way to approach this "problem".
IMO there should be an option to send both a Content-Security-Policy AND a Content-Security-Policy-Report-Only header, each with their own configuration for the policy.
Without both headers you either
a) potentially break users' experience when applying a stricter policy or
b) remove all policy enforcement when testing a new (stricter) policy with the report-only mode.
Having both headers allows changes to the CSP to be audited and tested, and reacted to, without the drawbacks I mentioned above.
This would be especially useful for older and/or larger projects where the new (at least to TYPO3) CSP feature should be added.
Without the possibility to safely test the changes I feel like an unnecessarily loose CSP would become standard in fear of breaking something.
Better than no CSP, but this should not be the goal.
What do you think @Oliver Hader ?
You implemented the whole CSP functionality as far as I know.