Project

General

Profile

Actions

Bug #105856

open

CSP reports may flood database

Added by Sadik Asbach 29 days ago. Updated 10 days ago.

Status:
Under Review
Priority:
Should have
Assignee:
-
Category:
Content Security Policy
Start date:
2024-12-20
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.1
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Well formed CSP reports are by default always written to the database and thus may flood it (as I already described/asked here: https://talk.typo3.org/t/solved-possibility-to-deactivate-db-logging-of-csp-reports/6041 ).
You can prevent, and deal with it, but I think it makes sense to have the the logging 1) disabled by default and 2) optionally enabled (e.g. in the site-specific csp.yaml) when configuring CSP. As I was not aware of it, it may thus make more administrators aware of the logging. And prevent offline websites/services due to a full database.


Related issues 2 (1 open1 closed)

Related to TYPO3 Core - Feature #105087: CSP Header option to disable or reduce amount of reporting-uri requestsNeeds Feedback2024-09-23

Actions
Related to TYPO3 Core - Task #104570: Reduce amount of noisy CSP reportsResolvedOliver Hader2024-08-08

Actions
Actions #1

Updated by Garvin Hicking 29 days ago · Edited

In my opinion, it needs to be enabled by default, otherwise CSP would block things you're not aware off. Doing log rotation/clearing is IMO a task for system maintainers, and watching that for abuse.

(The link offers some solutions how logging can be influenced)

Actions #2

Updated by Oliver Hader 25 days ago

  • Related to Feature #105087: CSP Header option to disable or reduce amount of reporting-uri requests added
Actions #3

Updated by Oliver Hader 25 days ago

  • Related to Task #104570: Reduce amount of noisy CSP reports added
Actions #4

Updated by Gerrit Code Review 15 days ago · Edited

  • Status changed from New to Under Review
Actions #5

Updated by Gerrit Code Review 10 days ago

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87670

Actions #6

Updated by Gerrit Code Review 10 days ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87670

Actions

Also available in: Atom PDF