TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692023-10-26T08:30:32ZTYPO3 Forge
Redmine TYPO3 Core - Task #102262 (New): Add CSP MutationMode::InheritStatic (or similar)http://forge.typo3.org/issues/1022622023-10-26T08:30:32ZOliver Haderoliver.hader@typo3.org
<p>From <a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/80756/comments/83fac188_a7132447">https://review.typo3.org/c/Packages/TYPO3.CMS/+/80756/comments/83fac188_a7132447</a></p>
<blockquote>
<p>I would prefer we had some kind of "late static binding" extensions, that says: "whatever is changed on the ancestor sometime later, please inherit" <br />Maybe that could be "InheritStatic".<br />Anyway I'm still fine with this patch as is.</p>
</blockquote> TYPO3 Core - Bug #102057 (New): W3C validator complains about base64 values in CSPhttp://forge.typo3.org/issues/1020572023-09-28T09:21:37ZOliver Haderoliver.hader@typo3.org
<p>From <a class="external" href="https://validator.w3.org/nu/">https://validator.w3.org/nu/</a></p>
<blockquote>
<p>Warning: Content-Security-Policy HTTP header: Bad content security policy: Invalid base64-value (should be multiple of 4 bytes: 54)</p>
</blockquote>
<p>From the specs at <a class="external" href="https://www.w3.org/TR/CSP3/#framework-directive-source-list">https://www.w3.org/TR/CSP3/#framework-directive-source-list</a></p>
<blockquote>
<p>; Nonces: 'nonce-[nonce goes here]'<br />nonce-source = "'nonce-" base64-value "'"</p>
<p>The base64-value grammar allows both base64 and base64url encoding. These encodings are treated as equivalant when processing hash-source values. Nonces, however, are strict string matches: we use the base64-value grammar to limit the characters available, and reduce the complexity for the server-side operator (encodings, etc), but the user agent doesn’t actually care about any underlying value, nor does it do any decoding of the nonce-source value.</p>
</blockquote>
<hr />
<p>For context, the used nonce value was <code>'nonce-GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrA'</code></p>
<ul>
<li>that's <code>GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrA</code> in base64web</li>
<li>that's <code>GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrA</code> in base64 (shortened)</li>
<li>that's <code>GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrA==</code> in base64 (complete, 56 chars, 56 mod 4 = 0)</li>
</ul> TYPO3 Core - Task #100906 (New): Handle CSP violations in browser extensionshttp://forge.typo3.org/issues/1009062023-05-20T11:55:08ZOliver Haderoliver.hader@typo3.org
<a name="General"></a>
<h3 >General<a href="#General" class="wiki-anchor">¶</a></h3>
<ul>
<li><a class="external" href="https://csper.io/blog/csp-report-filtering">https://csper.io/blog/csp-report-filtering</a></li>
<li><a class="external" href="https://dropbox.tech/security/on-csp-reporting-and-filtering">https://dropbox.tech/security/on-csp-reporting-and-filtering</a></li>
<li><a class="external" href="https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf">https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf</a></li>
<li><a class="external" href="https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20">https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20</a></li>
<li><a class="external" href="https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59">https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59</a></li>
</ul>
<a name="Payloads"></a>
<h3 >Payloads<a href="#Payloads" class="wiki-anchor">¶</a></h3>
<code>{"blocked-uri":"inline","column-number":9,"disposition":"enforce","document-uri":"https:\/\/indiemusik-festival.de\/events\/festival-2023","effective-directive":"script-src-elem","line-number":33,"original-policy":"frame-src 'self' https:\/\/*.youtube-nocookie.com https:\/\/*.youtube.com https:\/\/*.vimeo.com https:\/\/instagram.com https:\/\/*.instagram.com; img-src 'self' https:\/\/*.ytimg.com https:\/\/*.vimeocdn.com data: https:\/\/instagram.com https:\/\/*.instagram.com; default-src 'self'; script-src 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https:\/\/analytics.in-die-musik.de; script-src-elem 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' https:\/\/analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https:\/\/cloud.in-die-musik.de; report-uri https:\/\/indiemusik-festival.de\/@http-reporting?csp=report&requestTime=1684526938506325","referrer":"","script-sample":"(function (NAVIGATOR, OBJECT) {\n\n if \u2026","source-file":"moz-extension","status-code":200,"violated-directive":"script-src-elem"}
</code>
<p>→ <code>"source-file":"moz-extension"</code><br />→ payload <code>(function (NAVIGATOR, OBJECT) { if </code><br />→ trigger <a class="external" href="https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23">https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23</a></p>
<hr />
<p>...</p> TYPO3 Core - Bug #100904 (New): Fallback to script-src and style-srchttp://forge.typo3.org/issues/1009042023-05-20T11:24:22ZOliver Haderoliver.hader@typo3.org
<p>Using CSP in the wild still shows several browsers not supporting the <code>-attr</code> or <code>-elem</code> (CSP level 3) variants of <code>script-src</code> and <code>style-src</code> (CSP level 1). Therefore it seems to be required, to introduce an internal merge/fall-back possibility, but still keeping the specific <code>-attr</code> or <code>-elem</code> declarations for the future.</p>
<p>Thus, when instructed, the <code>-attr</code> or <code>-elem</code> declarations shall be merged into their parent <code>script-src</code> and <code>style-src</code> directives. The instruction might be different for each scope (backend, frontend, frontend-site).</p> TYPO3 Core - Task #95559 (New): Make authentication warnings configurablehttp://forge.typo3.org/issues/955592021-10-11T10:42:26ZOliver Haderoliver.hader@typo3.org
<p>Following <code>TYPO3_CONF_VARS</code> should be configurable:</p>
<ul>
<li><code>['BE']['warning_email_addr']</code> (possible already)</li>
<li><code>['BE']['warning_period']</code> (new, time in seconds >= 0, 0 means always)</li>
<li><code>['BE']['warning_max']</code> (new, integer >= 0, 0 means always)</li>
</ul> TYPO3 Core - Feature #93390 (New): Integrate source file based integrity checkhttp://forge.typo3.org/issues/933902021-02-01T07:56:59ZOliver Haderoliver.hader@typo3.org
<ul>
<li>having signed(!) list of valid hashsums of core and extension files
<ul>
<li>being part core release process</li>
<li>being part of TER publication process</li>
</ul>
</li>
<li>system report comparing file hashes
<ul>
<li>detect modifications</li>
<li>detect additional files</li>
</ul></li>
</ul>
<p>This probably works for know locations, but cannot be applied directly to "arbitrary file storages" like /fileadmin/.</p> TYPO3 Core - Feature #91668 (New): Add system communication APIhttp://forge.typo3.org/issues/916682020-06-17T17:46:25ZOliver Haderoliver.hader@typo3.org
<p>A system communication API could be used to retrieve data from official typo3.org services or send back anonymous usage data in order to help understand TYPO3-use-cases much better.</p>
<a name="Scenarios"></a>
<h2 >Scenarios<a href="#Scenarios" class="wiki-anchor">¶</a></h2>
<ul>
<li>compare current TYPO3 version with latest TYPO3 version & warn about missing security updates</li>
<li>fetch and display vendor messages for selected topics - e.g. release updates, important security notifications, etc.</li>
<li>send anonymous usage data back to granted services (typo3.org or custom endpoints)</li>
</ul>
<a name="Requirements"></a>
<h2 >Requirements<a href="#Requirements" class="wiki-anchor">¶</a></h2>
<ul>
<li>non-blocking - most of the communication shall happen in the background or in the client only (AJAX)</li>
<li>HTTP requests need to provide as less information as possible (no referrers, no cookies, ...)</li>
<li>each used communication stream/channel must be opt-in - users or site admins have to subscribe</li>
</ul> TYPO3 Core - Bug #91572 (New): Streamline install tool API usagehttp://forge.typo3.org/issues/915722020-06-03T19:06:31ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Task #91283 (New): Integrate HTTP Sec-Fetch header policyhttp://forge.typo3.org/issues/912832020-05-03T20:08:27ZOliver Haderoliver.hader@typo3.org
<p>Example headers:</p>
<ul>
<li>HTTP fetch
<ul>
<li>HTTP_SEC_FETCH_DEST: "empty" </li>
<li>HTTP_SEC_FETCH_MODE: "cors" </li>
<li>HTTP_SEC_FETCH_SITE: "same-origin"</li>
</ul></li>
</ul>
<ul>
<li>IFRAME fetch
<ul>
<li>HTTP_SEC_FETCH_DEST: "iframe" </li>
<li>HTTP_SEC_FETCH_MODE: "navigate" </li>
<li>HTTP_SEC_FETCH_SITE: "cross-site"</li>
</ul></li>
</ul>
<p>Resources:</p>
<ul>
<li><a class="external" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest</a></li>
<li><a class="external" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site</a></li>
<li><a class="external" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User</a></li>
<li><a class="external" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode</a></li>
</ul>
<hr />
<p>Integrate <code>RequestPolicy</code> and <code>FetchPolicy</code></p>
<pre>
$requestPolicy = (new RequestPolicy())
->withFetchPolicy((new FetchPolicy())
->withAllowedAbsence(bool)
->withFetchDest(string[])
->withFetchSite(string[])
->withFetchUser(string[])
->withFetchMode(string[])
);
</pre> TYPO3 Core - Task #90995 (New): Integrate Cross-Origin-Opener-Policy HTTP header in backendhttp://forge.typo3.org/issues/909952020-04-10T13:33:39ZOliver Haderoliver.hader@typo3.org
<pre>
Cross-Origin-Opener-Policy: same-site
</pre>
<a name="References"></a>
<h3 >References<a href="#References" class="wiki-anchor">¶</a></h3>
<ul>
<li><a class="external" href="https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit">https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit</a></li>
<li><a class="external" href="https://www.chromestatus.com/feature/5432089535053824">https://www.chromestatus.com/feature/5432089535053824</a></li>
<li><a class="external" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy</a></li>
</ul> TYPO3 Core - Epic #87417 (New): Integrate proper Content Security Policy (CSP) handlinghttp://forge.typo3.org/issues/874172019-01-13T10:58:12ZOliver Haderoliver.hader@typo3.org
<p>In order to reduce risks of cross-site scripting in the TYPO3 backend proper CSP handling shall be integrated into the TYPO3 core. Just setting the headers is not enough since also reporting, management and adjustment of core components as well as 3rd party components (extensions) are required.</p>
<p>The functionality is outlined like this</p>
<ul>
<li>CSP management & configuration module (either on a site level or for whole TYPO3 installation)</li>
<li>CSP violation reporting endpoint in order to identify flaws and violations earlier (might be misconfiguration or vulnerability)</li>
<li>CSP manifest definition that allows 3rd party extensions to use resources of remote hosts (to be used in management module)</li>
<li>adjustment and refactoring of TYPO3 core components & guidelines for extension authors</li>
</ul> TYPO3 Core - Feature #87300 (New): Limit amount of concurrent user sessions for same userhttp://forge.typo3.org/issues/873002018-12-27T13:53:30ZOliver Haderoliver.hader@typo3.org
<p>TYPO3 allows to use multiple sessions per user which is a feature on the one hand, but could also be a security risk on the other. In order to enhance the scenario it should be possible to limit the amount of concurrent user sessions per user (or disable concurrent logins at all).</p>
<p>Behavior either can be configured for the whole system or (optionally) per user.</p> TYPO3 Core - Feature #79105 (New): Extend workspace notification channelshttp://forge.typo3.org/issues/791052016-12-29T13:15:10ZOliver Haderoliver.hader@typo3.org
<p>Currently workspaces only supports sending out notifications via mail, however it would be great if this can be enhanced to push notifications to any other service, like e.g. Slack, IRC. This feature is about providing to possibility to have a custom API for attaching new notification services.</p> TYPO3 Core - Bug #78849 (New): Show logged records of DatabaseWriter in ext:beloghttp://forge.typo3.org/issues/788492016-12-01T12:33:34ZOliver Haderoliver.hader@typo3.org
<p>Log entries that have been persisted using the logging-framework are not visualized in ext:belog.<br />The reason is, that the logging-framework uses different field names for the sys_log table that are not considered.</p> TYPO3 Core - Feature #65720 (New): Add workspace element filter settingshttp://forge.typo3.org/issues/657202015-03-13T14:55:48ZOliver Haderoliver.hader@typo3.org
<p>The workspace configuration is extended by an element filter setting that allows to define record visibility in the workspace module per stage. This way, it can be defined, that either workspace owner, members or editors/creators of a particular record are allowed to see elements in the module - depending on the setting for the element's workspace stage.</p>