Feature #87420

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Integrate signatures for Stylesheet and JavaScript resources

Added by Oliver Hader almost 2 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Security
Start date:
2019-01-13
Due date:
% Done:

0%

PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

In order to ensure that Stylesheets and JavaScripts resources are integrated without being compromised, according signatures have to be added:

Documentation:

For static files

Example

<script src="https://example.com/example-framework.js" 
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" 
        crossorigin="anonymous"></script>

This step also requires that signatures have to be generated every time the source code is modified in Git commits. Dynamically generating signatures does not make sense since that would just sign compromised data as well. The "trust aspect" is still target to be defined here - in terms of "how to verify that signatures are not compromised".

For ("unsafe") inline assignments

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script

Example

Content-Security-Policy: script-src 'nonce-2726c7f26c'
<script nonce="2726c7f26c">
  var inline = 1;
</script>

Related issues

Duplicated by TYPO3 Core - Feature #85939: Implement integrity-argument for link-tags in includeCSS Closed 2018-08-23

History

#1 Updated by Oliver Hader almost 2 years ago

  • Description updated (diff)

#2 Updated by Oliver Hader almost 2 years ago

  • Assignee deleted (Oliver Hader)

#3 Updated by Georg Ringer 8 months ago

  • Duplicated by Feature #85939: Implement integrity-argument for link-tags in includeCSS added

Also available in: Atom PDF