Feature #104470
openCSP - Report-Only mode
0%
Description
Implementing a proper CSP for a complex TYPO3 site using many external sources, scripts and stuff is a nasty and timeconsuming task.
So although it's great that CSP violations can be tracked with TYPO3 in the CSP BE module - it would be good if a Report-Only Tracking could be set via configuration. So a website can run a while in reporting-mode and you can collect the issues and fix them.
We do not find any configuration flags that would enable a Report-Only mode.
You can turn on
SYS.features.security.backend.enforceContentSecurityPolicy
and/or
SYS.features.security.frontend.enforceContentSecurityPolicy
but this does directly activate the CSP - so the FE may become unusable and this is not suitable for a live site.
Or is this already possible and we have just missed the respective documentation?
Updated by Garvin Hicking 3 days ago
- Category changed from Security to Content Security Policy
- Status changed from New to Needs Feedback
Indeed I couldn't see an option to use the "Content-Security-Policy-Report-Only" header. typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php
in method process
does this:
return $response->withHeader('Content-Security-Policy', $policy->compile($this->requestId->nonce, $this->cache));
so there's no toggle for the header. While this would be nice to get implemented as a flag, you could workaround this with a small hack.
You could register a custom middleware just after the ContentSecurityPolicyHeaders
middleware and modify the output with something like:
final readonly class ContentSecurityPolicyHeadersReportOnly implements MiddlewareInterface { public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $response = $handler->handle($request); // ContentSecurityPolicyHeaders has now handled our response, let's mangle it. if ($response->hasHeader('Content-Security-Policy')) { $response = $response->withHeader('Content-Security-Policy-Report-Only', $response->getHeader('Content-Security-Policy')); // Detach the old header $response = $response->withoutHeader('Content-Security-Policy'); } return $response; } }
I have not tested this, but in theory this should work by just "renaming" the header. Maybe you'd like to try this until a decision can be made whether to support this with a config/option/API toggle?