Task #100887
openAllow remote proxies to handle CSP nonce values
0%
Description
→ find examples at https://scotthelme.co.uk/csp-nonces-the-easy-way-with-cloudflare-workers/
Find a way that e.g. uses a static nonce value, e.g. <script src="..." nonce="[[nonce-placeholder]]">
which will be substituted by a remote proxy server (nginx, CloudFlare, ...). In addition, that proxy server would have to take care of adjusting the CSP HTTP headers as well.
Updated by Torben Hansen over 1 year ago
Benjamin Franzke found this https://serverfault.com/a/1064775 discussion. So in conclusion, a cached nonce
may not be a general problem for the CSP
Updated by Oliver Hader over 1 year ago
Torben Hansen wrote in #note-4:
Benjamin Franzke found this https://serverfault.com/a/1064775 discussion. So in conclusion, a cached
nonce
may not be a general problem for the CSP
As long as the nonce
changes when the content is changed, this is okay.
However for TYPO3 USER_INT
or COA_INT
it is unknown, which content has been served previously. I think having a few examples and documentation for dynamic workers on CloudFlare or Varnish would be a good thing.
Updated by Gerrit Code Review over 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review over 1 year ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review over 1 year ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review over 1 year ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review over 1 year ago
Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review over 1 year ago
Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review over 1 year ago
Patch set 7 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review over 1 year ago
Patch set 8 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review over 1 year ago
Patch set 9 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 10 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 11 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 12 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 13 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 14 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 15 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 16 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 17 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 18 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 19 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 20 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 21 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 22 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 23 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 24 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 25 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 year ago
Patch set 26 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review 12 months ago
Patch set 27 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review 12 months ago
Patch set 28 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Oliver Hader 7 months ago
- Related to Bug #103149: CSP prevents sitemap.xml inline CSS styles added
Updated by Georg Ringer 6 months ago
- Category changed from Security to Content Security Policy
Updated by Oliver Hader 2 months ago
The current f:asset.script
view-helper has a bunch of attributes which have specific meaning and might create new ambiguity:
- prior to https://review.typo3.org/c/Packages/TYPO3.CMS/+/85310 where registered as tag attributes and are now handled as "additionalArguments" in Fluid
integrity
: actually used for sub-resource-integrity (independent of content-security-policy) → however, consider to use this existing value for CSP (instead of calculating it automatically, which is actually good for remote sources)nonce
: actually using a given nonce for (independent of content-security-policy) → however, consider to us the existing value for CSP (instead of using the global request nonce)
- the following attributes can be used to control the global behavior
useNonce
: explicitly requesting to assign the global nonce (thenonce
attribute might(!) take precedence)csp
(or any other name that fits better): automatically apply hashes or nonces if applicable → however the meaning would conflict with an explicituseNonce
attribute
Some examples what might actually happen:
<f:asset.script identifier="script" src="https://external.example.org/app.js" integrity="hash-abc" nonce="nonce-xyz" useNonce="1" csp="1" />
integrity
is given and should be used for CSPunsafe-hashes
, sincecsp="1"
is givennonce
anduseNonce
should be dropped, sinceintegrity
is more specific (in caseintegrity
has an outdated hash, the script would be blocked, since it was changed remotely - but security-wise it's actually the desired behavior)
<f:asset.script identifier="script" integrity="hash-abc" nonce="nonce-xyz" useNonce="1" csp="1">console.log(1);</f:asset.script>
integrity
might be ignored, since it does not have any impact on inline scripts in the current specs- the given
nonce
attribute should take precedence overuseNonce
- however, having the
csp
attribute set, should(!) adjust CSP rules - that's ambiguous
Updated by Gerrit Code Review 2 months ago
Patch set 29 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review about 1 month ago
Patch set 30 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review 25 days ago
Patch set 31 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
Updated by Gerrit Code Review 25 days ago
Patch set 32 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554