Task #104549
closed
Activation of CSP headers for frontend per site in multidomain installation
100%
Description
In a multidomain installation, it is currently not possible to completely disable the output of CSP headers for a site if $GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.enforceContentSecurityPolicy'] = true. The default CSP headers are still output even if no csp.yaml file is created. It would be great if you could decide per site whether CSP should be on or off in the frontend.
Updated by Garvin Hicking 4 months ago
- Status changed from New to Needs Feedback
I can't test this right now, but you could use a ContentSecurityPolicies.php file maybe and do your site detection consditionally in there?
Also https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/ContentSecurityPolicy/Index.html#content-security-policy-site with maybe a csp.yaml file resetting headers to different values could work?
And if all fails, you can place a middleware after the csp one, and reset CSP headers with that?
Updated by Garvin Hicking 4 months ago
(With middleware, check out https://forge.typo3.org/issues/104470 for a possible approach?)
Updated by Gerrit Code Review 3 months ago
- Status changed from Needs Feedback to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85591
Updated by Oliver Hader 3 months ago
I see that disabling CSP headers for a particular site might be handy. Please check & verify the referenced patch. Thx!
Updated by Oliver Hader 3 months ago
- Tracker changed from Feature to Task
- PHP Version changed from 8.3 to 8.2
- TYPO3 Version set to 12
Updated by Gerrit Code Review 3 months ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85622
Updated by Oliver Hader 3 months ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset acf70306c44f9817552bcaae45aafc46b03dc0bf.
Updated by Oliver Hader 3 months ago
- Status changed from Resolved to New
→ reverts https://review.typo3.org/q/I651f60d7b5cc24133801412c8f09b1efba98d3f4
→ the behavior shall be combined with a site-specific report-only mode later
Updated by Gerrit Code Review 3 months ago
- Status changed from New to Under Review
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 7 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 8 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 9 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 10 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 11 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 12 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 13 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 14 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 15 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 16 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 17 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 18 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 19 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 20 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 21 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 22 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 23 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 24 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 25 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 26 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 27 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 28 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 29 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632
Updated by Gerrit Code Review 3 months ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/85809
Updated by Oliver Hader 3 months ago
- Status changed from Under Review to Resolved
Applied in changeset 13758d53870c9409f7e36ba5f6b6d01671b2b658.
Updated by Oliver Hader 3 months ago
- Related to Task #104633: Combine disabling site-specific CSP with report-only mode added
Updated by Oliver Hader 3 months ago
- Related to Feature #101580: Add feature flag to enable CSP ReportOnly mode added
Updated by Oliver Hader 3 months ago
· Edited
Disabling CSP per-site has been re-introduced into TYPO3 v12.
in config/sites/<my-site>/csp.yaml
# `active` is enabled per default if omitted active: false
Updated by