Task #104141
closed
Add request object to \TYPO3\CMS\Core\Security\ContentSecurityPolicy\Event\PolicyMutatedEvent
100%
Description
Proposal¶
It would be a real benefit if the event listener gets the ServerRequestInterface to handle custom implementations.
Why?¶
Scenario (real usecase of this event):
The whole TYPO3 site has a strict CSP behaviour except MJML-based newsletter pages with a specific backendLayout. Due to the nature of newsletter templates, they include inline styles and images from external CDN services, etc.
So the newsletter is built right within TYPO3. And an external newsletter saas tool fetches this pages. We use this event to relax CSP settings for pages with that backendLayout AND some TYPO3 site settings which needs the request object instead of going the way through $GLOBALS.
Updated by Gerrit Code Review 5 months ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84913
Updated by Gerrit Code Review 5 months ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84913
Updated by Gerrit Code Review 5 months ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84848
Updated by Oliver Bartsch 5 months ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 5a46d585958740db00ce41a00579825d3a589dcb.
Updated by Oliver Hader 5 months ago
The whole TYPO3 site has a strict CSP behaviour except MJML-based newsletter pages with a specific backendLayout. Due to the nature of newsletter templates, they include inline styles and images from external CDN services, etc.
How are the MJML-based pages retrieved? I guess this is in the frontend scope?
How would the event handler look like in your case - how are CSP headers modified here?
Updated by Gerrit Code Review 5 months ago
- Status changed from Resolved to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84930
Updated by Josef Glatz 5 months ago
Oliver Hader wrote in #note-5:
The whole TYPO3 site has a strict CSP behaviour except MJML-based newsletter pages with a specific backendLayout. Due to the nature of newsletter templates, they include inline styles and images from external CDN services, etc.
How are the MJML-based pages retrieved? I guess this is in the frontend scope?
How would the event handler look like in your case - how are CSP headers modified here?
Hey Oliver, it was just an example. In my situation I'm using some setup like Markus did as MailService https://gitlab.com/reelworx/typo3/t3-mailservice/-/tree/master/src. The resulting markup of the page is already a final HTML with ugly HTML-output and inline-stuff. The page is then fetched from customers newsletter-system.
Updated by Oliver Hader 5 months ago
Josef Glatz wrote in #note-7:
How are the MJML-based pages retrieved? I guess this is in the frontend scope?
How would the event handler look like in your case - how are CSP headers modified here?Hey Oliver, it was just an example. In my situation I'm using some setup like Markus did as MailService https://gitlab.com/reelworx/typo3/t3-mailservice/-/tree/master/src. The resulting markup of the page is already a final HTML with ugly HTML-output and inline-stuff. The page is then fetched from customers newsletter-system.
Thanks. How are CSP headers modified in your case? Or are they just skipped for that particular purpose?
I'm raising this questing since custom modifications via events might have an impact on caches (which was not considered in the recent change that was merged)...
Updated by Gerrit Code Review 5 months ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84952
Updated by Oliver Bartsch 5 months ago
- Status changed from Under Review to Resolved
Applied in changeset 02cec4c3161914266cca6847b8fa9c3e2415317a.
Updated by