Project

General

Profile

Actions

Feature #87420

closed

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Integrate signatures for Stylesheet and JavaScript resources

Added by Oliver Hader almost 6 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Start date:
2019-01-13
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

In order to ensure that Stylesheets and JavaScripts resources are integrated without being compromised, according signatures have to be added:

Documentation:

For static files

Example

<script src="https://example.com/example-framework.js" 
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" 
        crossorigin="anonymous"></script>

This step also requires that signatures have to be generated every time the source code is modified in Git commits. Dynamically generating signatures does not make sense since that would just sign compromised data as well. The "trust aspect" is still target to be defined here - in terms of "how to verify that signatures are not compromised".

For ("unsafe") inline assignments

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script

Example

Content-Security-Policy: script-src 'nonce-2726c7f26c'
<script nonce="2726c7f26c">
  var inline = 1;
</script>

Related issues 1 (0 open1 closed)

Has duplicate TYPO3 Core - Task #100141: Add possibility to add resource hashesClosedOliver Hader2023-03-11

Actions
Actions #1

Updated by Oliver Hader almost 6 years ago

  • Description updated (diff)
Actions #2

Updated by Oliver Hader almost 6 years ago

  • Assignee deleted (Oliver Hader)
Actions #3

Updated by Georg Ringer almost 5 years ago

  • Has duplicate Feature #85939: Implement integrity-argument for link-tags in includeCSS added
Actions #4

Updated by Oliver Hader about 3 years ago

  • Target version changed from Candidate for Major Version to 12 LTS
Actions #5

Updated by Oliver Hader about 3 years ago

  • Status changed from New to Accepted
Actions #6

Updated by Benjamin Franzke almost 3 years ago

  • Blocks Task #97068: Generate a random importmap nonce for CSP compliance added
Actions #7

Updated by Oliver Hader almost 2 years ago

  • Blocks deleted (Task #97068: Generate a random importmap nonce for CSP compliance)
Actions #8

Updated by Oliver Hader over 1 year ago

  • Has duplicate Task #100141: Add possibility to add resource hashes added
Actions #9

Updated by Oliver Hader over 1 year ago

  • Has duplicate deleted (Feature #85939: Implement integrity-argument for link-tags in includeCSS)
Actions #10

Updated by Oliver Hader over 1 year ago

→ done with #100141 - but only in the scope of content-security-policy headers, not in general for the integrity attribute, which has a different scope

Actions #11

Updated by Benni Mack over 1 year ago

  • Target version changed from 12 LTS to Candidate for Major Version
Actions #12

Updated by Oliver Hader over 1 year ago

  • Status changed from Accepted to Closed

Done in the scope of CSP.

Actions

Also available in: Atom PDF