Task #104141
closed
Add request object to \TYPO3\CMS\Core\Security\ContentSecurityPolicy\Event\PolicyMutatedEvent
Added by Josef Glatz 5 months ago.
Updated 5 months ago.
Category:
Content Security Policy
Description
Proposal¶
It would be a real benefit if the event listener gets the ServerRequestInterface to handle custom implementations.
Why?¶
Scenario (real usecase of this event):
The whole TYPO3 site has a strict CSP behaviour except MJML-based newsletter pages with a specific backendLayout. Due to the nature of newsletter templates, they include inline styles and images from external CDN services, etc.
So the newsletter is built right within TYPO3. And an external newsletter saas tool fetches this pages. We use this event to relax CSP settings for pages with that backendLayout AND some TYPO3 site settings which needs the request object instead of going the way through $GLOBALS.
- Status changed from New to Under Review
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
The whole TYPO3 site has a strict CSP behaviour except MJML-based newsletter pages with a specific backendLayout. Due to the nature of newsletter templates, they include inline styles and images from external CDN services, etc.
How are the MJML-based pages retrieved? I guess this is in the frontend scope?
How would the event handler look like in your case - how are CSP headers modified here?
- Status changed from Resolved to Under Review
Oliver Hader wrote in #note-5:
The whole TYPO3 site has a strict CSP behaviour except MJML-based newsletter pages with a specific backendLayout. Due to the nature of newsletter templates, they include inline styles and images from external CDN services, etc.
How are the MJML-based pages retrieved? I guess this is in the frontend scope?
How would the event handler look like in your case - how are CSP headers modified here?
Hey Oliver, it was just an example. In my situation I'm using some setup like Markus did as MailService https://gitlab.com/reelworx/typo3/t3-mailservice/-/tree/master/src. The resulting markup of the page is already a final HTML with ugly HTML-output and inline-stuff. The page is then fetched from customers newsletter-system.
Josef Glatz wrote in #note-7:
How are the MJML-based pages retrieved? I guess this is in the frontend scope?
How would the event handler look like in your case - how are CSP headers modified here?
Hey Oliver, it was just an example. In my situation I'm using some setup like Markus did as MailService https://gitlab.com/reelworx/typo3/t3-mailservice/-/tree/master/src. The resulting markup of the page is already a final HTML with ugly HTML-output and inline-stuff. The page is then fetched from customers newsletter-system.
Thanks. How are CSP headers modified in your case? Or are they just skipped for that particular purpose?
I'm raising this questing since custom modifications via events might have an impact on caches (which was not considered in the recent change that was merged)...
- Status changed from Under Review to Resolved
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by