Project

General

Profile

Actions

Task #104141

closed

Add request object to \TYPO3\CMS\Core\Security\ContentSecurityPolicy\Event\PolicyMutatedEvent

Added by Josef Glatz 5 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Content Security Policy
Target version:
Start date:
2024-06-18
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
13
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Proposal

It would be a real benefit if the event listener gets the ServerRequestInterface to handle custom implementations.

Why?

Scenario (real usecase of this event):

The whole TYPO3 site has a strict CSP behaviour except MJML-based newsletter pages with a specific backendLayout. Due to the nature of newsletter templates, they include inline styles and images from external CDN services, etc.

So the newsletter is built right within TYPO3. And an external newsletter saas tool fetches this pages. We use this event to relax CSP settings for pages with that backendLayout AND some TYPO3 site settings which needs the request object instead of going the way through $GLOBALS.

Actions #1

Updated by Gerrit Code Review 5 months ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84913

Actions #2

Updated by Gerrit Code Review 5 months ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84913

Actions #3

Updated by Gerrit Code Review 5 months ago

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84848

Actions #4

Updated by Oliver Bartsch 5 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #5

Updated by Oliver Hader 5 months ago

The whole TYPO3 site has a strict CSP behaviour except MJML-based newsletter pages with a specific backendLayout. Due to the nature of newsletter templates, they include inline styles and images from external CDN services, etc.

How are the MJML-based pages retrieved? I guess this is in the frontend scope?
How would the event handler look like in your case - how are CSP headers modified here?

Actions #6

Updated by Gerrit Code Review 5 months ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84930

Actions #7

Updated by Josef Glatz 5 months ago

Oliver Hader wrote in #note-5:

The whole TYPO3 site has a strict CSP behaviour except MJML-based newsletter pages with a specific backendLayout. Due to the nature of newsletter templates, they include inline styles and images from external CDN services, etc.

How are the MJML-based pages retrieved? I guess this is in the frontend scope?
How would the event handler look like in your case - how are CSP headers modified here?

Hey Oliver, it was just an example. In my situation I'm using some setup like Markus did as MailService https://gitlab.com/reelworx/typo3/t3-mailservice/-/tree/master/src. The resulting markup of the page is already a final HTML with ugly HTML-output and inline-stuff. The page is then fetched from customers newsletter-system.

Actions #8

Updated by Oliver Hader 5 months ago

Josef Glatz wrote in #note-7:

How are the MJML-based pages retrieved? I guess this is in the frontend scope?
How would the event handler look like in your case - how are CSP headers modified here?

Hey Oliver, it was just an example. In my situation I'm using some setup like Markus did as MailService https://gitlab.com/reelworx/typo3/t3-mailservice/-/tree/master/src. The resulting markup of the page is already a final HTML with ugly HTML-output and inline-stuff. The page is then fetched from customers newsletter-system.

Thanks. How are CSP headers modified in your case? Or are they just skipped for that particular purpose?
I'm raising this questing since custom modifications via events might have an impact on caches (which was not considered in the recent change that was merged)...

Actions #9

Updated by Gerrit Code Review 5 months ago

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84952

Actions #10

Updated by Oliver Bartsch 5 months ago

  • Status changed from Under Review to Resolved
Actions #11

Updated by Benni Mack 4 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF