Project

General

Profile

Actions
Copy link

Feature #104470

open

CSP - Report-Only mode

Added by cosmoblonde GmbH 3 days ago. Updated 3 days ago.

Status:
Needs Feedback
Priority:
Should have
Assignee:
Oliver Hader
Category:
Content Security Policy
Target version:
-
Start date:
2024-07-24
Due date:
% Done:

0%

Estimated time:
PHP Version:
8.2
Tags:
Complexity:
Sprint Focus:

Description

Implementing a proper CSP for a complex TYPO3 site using many external sources, scripts and stuff is a nasty and timeconsuming task.

So although it's great that CSP violations can be tracked with TYPO3 in the CSP BE module - it would be good if a Report-Only Tracking could be set via configuration. So a website can run a while in reporting-mode and you can collect the issues and fix them.

We do not find any configuration flags that would enable a Report-Only mode.

You can turn on
SYS.features.security.backend.enforceContentSecurityPolicy
and/or
SYS.features.security.frontend.enforceContentSecurityPolicy

but this does directly activate the CSP - so the FE may become unusable and this is not suitable for a live site.

Or is this already possible and we have just missed the respective documentation?

Actions
Copy link
 #1

Updated by Garvin Hicking 3 days ago

  • Category changed from Security to Content Security Policy
  • Status changed from New to Needs Feedback

Indeed I couldn't see an option to use the "Content-Security-Policy-Report-Only" header. typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php in method process does this:

return $response->withHeader('Content-Security-Policy', $policy->compile($this->requestId->nonce, $this->cache));

so there's no toggle for the header. While this would be nice to get implemented as a flag, you could workaround this with a small hack.

You could register a custom middleware just after the ContentSecurityPolicyHeaders middleware and modify the output with something like:

final readonly class ContentSecurityPolicyHeadersReportOnly implements MiddlewareInterface
{
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $response = $handler->handle($request);
        // ContentSecurityPolicyHeaders has now handled our response, let's mangle it.
        if ($response->hasHeader('Content-Security-Policy')) {
            $response = $response->withHeader('Content-Security-Policy-Report-Only', $response->getHeader('Content-Security-Policy'));
            // Detach the old header
            $response = $response->withoutHeader('Content-Security-Policy');
        }
        return $response;
    }
}

I have not tested this, but in theory this should work by just "renaming" the header. Maybe you'd like to try this until a decision can be made whether to support this with a config/option/API toggle?

Actions
Copy link

Also available in: Atom PDF