Bug #105856
openCSP reports may flood database
0%
Description
Well formed CSP reports are by default always written to the database and thus may flood it (as I already described/asked here: https://talk.typo3.org/t/solved-possibility-to-deactivate-db-logging-of-csp-reports/6041 ).
You can prevent, and deal with it, but I think it makes sense to have the the logging 1) disabled by default and 2) optionally enabled (e.g. in the site-specific csp.yaml) when configuring CSP. As I was not aware of it, it may thus make more administrators aware of the logging. And prevent offline websites/services due to a full database.
Updated by Garvin Hicking 29 days ago · Edited
In my opinion, it needs to be enabled by default, otherwise CSP would block things you're not aware off. Doing log rotation/clearing is IMO a task for system maintainers, and watching that for abuse.
(The link offers some solutions how logging can be influenced)
Updated by Oliver Hader 25 days ago
- Related to Feature #105087: CSP Header option to disable or reduce amount of reporting-uri requests added
Updated by Oliver Hader 25 days ago
- Related to Task #104570: Reduce amount of noisy CSP reports added
Updated by Gerrit Code Review 15 days ago · Edited
- Status changed from New to Under Review
Updated by Gerrit Code Review 10 days ago
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87670
Updated by Gerrit Code Review 10 days ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87670