Project

General

Profile

Actions
Copy link

Feature #87420

closed

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Integrate signatures for Stylesheet and JavaScript resources

Added by Oliver Hader almost 6 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
Candidate for Major Version
Start date:
2019-01-13
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

In order to ensure that Stylesheets and JavaScripts resources are integrated without being compromised, according signatures have to be added:

Documentation:

For static files

Example

<script src="https://example.com/example-framework.js" 
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" 
        crossorigin="anonymous"></script>

This step also requires that signatures have to be generated every time the source code is modified in Git commits. Dynamically generating signatures does not make sense since that would just sign compromised data as well. The "trust aspect" is still target to be defined here - in terms of "how to verify that signatures are not compromised".

For ("unsafe") inline assignments

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script

Example

Content-Security-Policy: script-src 'nonce-2726c7f26c'

<script nonce="2726c7f26c">
  var inline = 1;
</script>

Related issues 1 (0 open1 closed)

Has duplicate TYPO3 Core - Task #100141: Add possibility to add resource hashesClosedOliver Hader2023-03-11

Actions
Actions
Copy link
 #1

Updated by Oliver Hader almost 6 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Oliver Hader almost 6 years ago

  • Assignee deleted (Oliver Hader)
Actions
Copy link
 #3

Updated by Georg Ringer over 4 years ago

  • Has duplicate Feature #85939: Implement integrity-argument for link-tags in includeCSS added
Actions
Copy link
 #4

Updated by Oliver Hader about 3 years ago

  • Target version changed from Candidate for Major Version to 12 LTS
Actions
Copy link
 #5

Updated by Oliver Hader about 3 years ago

  • Status changed from New to Accepted
Actions
Copy link
 #6

Updated by Benjamin Franzke over 2 years ago

  • Blocks Task #97068: Generate a random importmap nonce for CSP compliance added
Actions
Copy link
 #7

Updated by Oliver Hader over 1 year ago

  • Blocks deleted (Task #97068: Generate a random importmap nonce for CSP compliance)
Actions
Copy link
 #8

Updated by Oliver Hader over 1 year ago

  • Has duplicate Task #100141: Add possibility to add resource hashes added
Actions
Copy link
 #9

Updated by Oliver Hader over 1 year ago

  • Has duplicate deleted (Feature #85939: Implement integrity-argument for link-tags in includeCSS)
Actions
Copy link
 #10

Updated by Oliver Hader over 1 year ago

→ done with #100141 - but only in the scope of content-security-policy headers, not in general for the integrity attribute, which has a different scope

Actions
Copy link
 #11

Updated by Benni Mack over 1 year ago

  • Target version changed from 12 LTS to Candidate for Major Version
Actions
Copy link
 #12

Updated by Oliver Hader over 1 year ago

  • Status changed from Accepted to Closed

Done in the scope of CSP.

Actions
Copy link

Also available in: Atom PDF