Project

General

Profile

Actions

Task #100887

open

Allow remote proxies to handle CSP nonce values

Added by Oliver Hader over 1 year ago. Updated 25 days ago.

Status:
Under Review
Priority:
Should have
Assignee:
-
Category:
Content Security Policy
Target version:
-
Start date:
2023-05-16
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

→ find examples at https://scotthelme.co.uk/csp-nonces-the-easy-way-with-cloudflare-workers/

Find a way that e.g. uses a static nonce value, e.g. <script src="..." nonce="[[nonce-placeholder]]"> which will be substituted by a remote proxy server (nginx, CloudFlare, ...). In addition, that proxy server would have to take care of adjusting the CSP HTTP headers as well.


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #103149: CSP prevents sitemap.xml inline CSS stylesResolved2024-02-19

Actions
Actions #1

Updated by Oliver Hader over 1 year ago

  • Assignee deleted (Oliver Hader)
Actions #2

Updated by Oliver Hader over 1 year ago

  • Description updated (diff)
Actions #3

Updated by Oliver Hader over 1 year ago

  • Tracker changed from Bug to Task
Actions #4

Updated by Torben Hansen over 1 year ago

Benjamin Franzke found this https://serverfault.com/a/1064775 discussion. So in conclusion, a cached nonce may not be a general problem for the CSP

Actions #5

Updated by Oliver Hader over 1 year ago

Torben Hansen wrote in #note-4:

Benjamin Franzke found this https://serverfault.com/a/1064775 discussion. So in conclusion, a cached nonce may not be a general problem for the CSP

As long as the nonce changes when the content is changed, this is okay.

However for TYPO3 USER_INT or COA_INT it is unknown, which content has been served previously. I think having a few examples and documentation for dynamic workers on CloudFlare or Varnish would be a good thing.

Actions #6

Updated by Gerrit Code Review over 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #7

Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #8

Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #9

Updated by Gerrit Code Review over 1 year ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #10

Updated by Gerrit Code Review over 1 year ago

Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #11

Updated by Gerrit Code Review over 1 year ago

Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #12

Updated by Gerrit Code Review over 1 year ago

Patch set 7 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #13

Updated by Gerrit Code Review over 1 year ago

Patch set 8 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #14

Updated by Gerrit Code Review over 1 year ago

Patch set 9 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #15

Updated by Gerrit Code Review about 1 year ago

Patch set 10 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #16

Updated by Gerrit Code Review about 1 year ago

Patch set 11 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #17

Updated by Gerrit Code Review about 1 year ago

Patch set 12 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #18

Updated by Gerrit Code Review about 1 year ago

Patch set 13 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #19

Updated by Gerrit Code Review about 1 year ago

Patch set 14 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #20

Updated by Gerrit Code Review about 1 year ago

Patch set 15 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #21

Updated by Gerrit Code Review about 1 year ago

Patch set 16 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #22

Updated by Gerrit Code Review about 1 year ago

Patch set 17 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #23

Updated by Gerrit Code Review about 1 year ago

Patch set 18 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #24

Updated by Gerrit Code Review about 1 year ago

Patch set 19 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #25

Updated by Gerrit Code Review about 1 year ago

Patch set 20 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #26

Updated by Gerrit Code Review about 1 year ago

Patch set 21 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #27

Updated by Gerrit Code Review about 1 year ago

Patch set 22 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #28

Updated by Gerrit Code Review about 1 year ago

Patch set 23 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #29

Updated by Gerrit Code Review about 1 year ago

Patch set 24 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #30

Updated by Gerrit Code Review about 1 year ago

Patch set 25 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #31

Updated by Gerrit Code Review about 1 year ago

Patch set 26 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #32

Updated by Gerrit Code Review 12 months ago

Patch set 27 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #33

Updated by Gerrit Code Review 12 months ago

Patch set 28 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #34

Updated by Oliver Hader 7 months ago

  • Related to Bug #103149: CSP prevents sitemap.xml inline CSS styles added
Actions #35

Updated by Georg Ringer 6 months ago

  • Category changed from Security to Content Security Policy
Actions #36

Updated by Oliver Hader 2 months ago

The current f:asset.script view-helper has a bunch of attributes which have specific meaning and might create new ambiguity:

  • prior to https://review.typo3.org/c/Packages/TYPO3.CMS/+/85310 where registered as tag attributes and are now handled as "additionalArguments" in Fluid
    • integrity: actually used for sub-resource-integrity (independent of content-security-policy) → however, consider to use this existing value for CSP (instead of calculating it automatically, which is actually good for remote sources)
    • nonce: actually using a given nonce for (independent of content-security-policy) → however, consider to us the existing value for CSP (instead of using the global request nonce)
  • the following attributes can be used to control the global behavior
    • useNonce: explicitly requesting to assign the global nonce (the nonce attribute might(!) take precedence)
    • csp (or any other name that fits better): automatically apply hashes or nonces if applicable → however the meaning would conflict with an explicit useNonce attribute

Some examples what might actually happen:

  • <f:asset.script identifier="script" src="https://external.example.org/app.js" integrity="hash-abc" nonce="nonce-xyz" useNonce="1" csp="1" />
    • integrity is given and should be used for CSP unsafe-hashes, since csp="1" is given
    • nonce and useNonce should be dropped, since integrity is more specific (in case integrity has an outdated hash, the script would be blocked, since it was changed remotely - but security-wise it's actually the desired behavior)
  • <f:asset.script identifier="script" integrity="hash-abc" nonce="nonce-xyz" useNonce="1" csp="1">console.log(1);</f:asset.script>
    • integrity might be ignored, since it does not have any impact on inline scripts in the current specs
    • the given nonce attribute should take precedence over useNonce
    • however, having the csp attribute set, should(!) adjust CSP rules - that's ambiguous
Actions #37

Updated by Gerrit Code Review 2 months ago

Patch set 29 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #38

Updated by Gerrit Code Review about 1 month ago

Patch set 30 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #39

Updated by Gerrit Code Review 25 days ago

Patch set 31 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions #40

Updated by Gerrit Code Review 25 days ago

Patch set 32 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

Actions

Also available in: Atom PDF