Feature #87423

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Integrate CSP management module

Added by Oliver Hader over 3 years ago. Updated about 2 months ago.

Status:
Accepted
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
Start date:
2019-01-13
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

In oder to grant access, configure behavior and monitor configuration flaws or violations (e.g. of 3rd party extensions) a content security policy management module shall be integrated.

  • grant/revoke access (based on manifest)
  • configure content security level (predefined/presets)
  • log of recent violations with UI filter capabilities (search for URI, type, date/time, ...)

DRAFT CSP rules

DRAFT CSP reports


Files

mockup_Rules.png (80.4 KB) mockup_Rules.png DRAFT CSP rules Oliver Hader, 2021-05-06 17:52
mockup_Reports.png (89.3 KB) mockup_Reports.png DRAFT CSP reports Oliver Hader, 2021-05-06 17:52
typo3_csp.bmpr (100 KB) typo3_csp.bmpr Balsamiq mockup Oliver Hader, 2021-05-06 17:52
#2

Updated by Oliver Hader 6 months ago

  • Target version changed from Candidate for Major Version to 12 LTS
#3

Updated by Oliver Hader 6 months ago

  • Status changed from New to Accepted
#4

Updated by Rachel Foucard about 2 months ago

Hi Oliver,

I dreamed about it!

I also wonder if it would technically possible to get a understandable message (back or front) when a simple editor add an HTML content and get no result because of CSP? something like "This content can't be displayed because some security are blocking external urls, please ask your administrator to approve them first, blabla..."

Rachel

#5

Updated by Oliver Hader about 2 months ago

Rachel Foucard wrote in #note-4:

I also wonder if it would technically possible to get a understandable message (back or front) when a simple editor add an HTML content and get no result because of CSP? something like "This content can't be displayed because some security are blocking external urls, please ask your administrator to approve them first, blabla..."

Technically it's possible to handle these "CSP violations" with the corresponding event in JavaScript, e.g. see https://developer.mozilla.org/en-US/docs/Web/API/SecurityPolicyViolationEvent for details. I used this technique in a proof-of-concept prototype (end of 2019) to collect violations during runtime.

Another possibility would be to use reporting endpoints (like Sentry or similar services) which is more generic, since not all application states (mainly JavaScript states) are submitted, e.g. see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to for details.

Also available in: Atom PDF