Feature #101580
closed
Add feature flag to enable CSP ReportOnly mode
Added by Sascha Nowak over 1 year ago. Updated about 1 month ago.
100%
Description
Since version 13 the backend CSP is enabled by default. The feature flag that is introduced in version 12 is now always active.
It would be great to have the possibility to put the frontend in report only mode to collect data before rolling out the CSP.
To archive this I would introduce another feature flag `security.frontend.contentSecurityPolicyReportOnly`.
Updated by Gerrit Code Review over 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397
Updated by Gerrit Code Review over 1 year ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397
Updated by Gerrit Code Review over 1 year ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397
Updated by Gerrit Code Review 11 months ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397
Updated by Johannes Schlier 7 months ago
ยท Edited
Having a Report-Only option is a good step in the right direction, but I don't think a feature flag that simply changes the header to Report-Only is the way to approach this "problem".
IMO there should be an option to send both a Content-Security-Policy AND a Content-Security-Policy-Report-Only header, each with their own configuration for the policy.
Without both headers you either
a) potentially break users' experience when applying a stricter policy or
b) remove all policy enforcement when testing a new (stricter) policy with the report-only mode.
Having both headers allows changes to the CSP to be audited and tested, and reacted to, without the drawbacks I mentioned above.
This would be especially useful for older and/or larger projects where the new (at least to TYPO3) CSP feature should be added.
Without the possibility to safely test the changes I feel like an unnecessarily loose CSP would become standard in fear of breaking something.
Better than no CSP, but this should not be the goal.
What do you think @Oliver Hader ?
You implemented the whole CSP functionality as far as I know.
Updated by Georg Ringer 5 months ago
- Category changed from Security to Content Security Policy
Updated by Gerrit Code Review 4 months ago
Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397
Updated by Gerrit Code Review 4 months ago
Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397
Updated by Gerrit Code Review 4 months ago
Patch set 7 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397
Updated by Oliver Hader 3 months ago
- Related to Feature #104470: CSP - Report-Only mode added
Updated by Gerrit Code Review 3 months ago
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 7 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 8 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 9 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 10 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 11 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 12 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 13 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 14 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 15 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 16 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 17 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 18 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 19 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 20 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 21 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 22 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 23 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 24 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 25 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 26 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 27 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 28 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 29 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85809
Updated by Oliver Hader 3 months ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 13758d53870c9409f7e36ba5f6b6d01671b2b658.
Updated by Oliver Hader 3 months ago
- Related to Task #104549: Activation of CSP headers for frontend per site in multidomain installation added
Updated by