Project

General

Profile

Actions

Feature #87423

closed

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Integrate CSP management module

Added by Oliver Hader about 5 years ago. Updated about 2 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
Start date:
2019-01-13
Due date:
% Done:

100%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

In oder to grant access, configure behavior and monitor configuration flaws or violations (e.g. of 3rd party extensions) a content security policy management module shall be integrated.

  • grant/revoke access (based on manifest)
  • configure content security level (predefined/presets)
  • log of recent violations with UI filter capabilities (search for URI, type, date/time, ...)

Test-Extension


DRAFT CSP rules

DRAFT CSP reports


Files

mockup_Rules.png (80.4 KB) mockup_Rules.png DRAFT CSP rules Oliver Hader, 2021-05-06 17:52
mockup_Reports.png (89.3 KB) mockup_Reports.png DRAFT CSP reports Oliver Hader, 2021-05-06 17:52
typo3_csp.bmpr (100 KB) typo3_csp.bmpr Balsamiq mockup Oliver Hader, 2021-05-06 17:52

Related issues 5 (2 open3 closed)

Related to TYPO3 Core - Feature #87421: Integrate CSP reporting endpointClosed2019-01-13

Actions
Related to TYPO3 Core - Task #100535: CSP module: On small browser size the UX of the details view could be improvedAccepted2023-04-08

Actions
Related to TYPO3 Core - Task #100616: Add docheader buttons to CSP moduleUnder ReviewChris Müller2023-04-16

Actions
Related to TYPO3 Core - Bug #100618: CSP module: Mute and delete of violations do not workResolved2023-04-16

Actions
Has duplicate TYPO3 Core - Feature #100056: Introduce Content Security Policy reporting & inspectionClosed2023-03-01

Actions
Actions #2

Updated by Oliver Hader over 2 years ago

  • Target version changed from Candidate for Major Version to 12 LTS
Actions #3

Updated by Oliver Hader over 2 years ago

  • Status changed from New to Accepted
Actions #4

Updated by Rachel Foucard almost 2 years ago

Hi Oliver,

I dreamed about it!

I also wonder if it would technically possible to get a understandable message (back or front) when a simple editor add an HTML content and get no result because of CSP? something like "This content can't be displayed because some security are blocking external urls, please ask your administrator to approve them first, blabla..."

Rachel

Actions #5

Updated by Oliver Hader almost 2 years ago

Rachel Foucard wrote in #note-4:

I also wonder if it would technically possible to get a understandable message (back or front) when a simple editor add an HTML content and get no result because of CSP? something like "This content can't be displayed because some security are blocking external urls, please ask your administrator to approve them first, blabla..."

Technically it's possible to handle these "CSP violations" with the corresponding event in JavaScript, e.g. see https://developer.mozilla.org/en-US/docs/Web/API/SecurityPolicyViolationEvent for details. I used this technique in a proof-of-concept prototype (end of 2019) to collect violations during runtime.

Another possibility would be to use reporting endpoints (like Sentry or similar services) which is more generic, since not all application states (mainly JavaScript states) are submitted, e.g. see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to for details.

Actions #6

Updated by Oliver Hader about 1 year ago

  • Has duplicate Feature #100056: Introduce Content Security Policy reporting & inspection added
Actions #7

Updated by Gerrit Code Review about 1 year ago

  • Status changed from Accepted to Under Review

Patch set 13 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #8

Updated by Oliver Hader about 1 year ago

  • Description updated (diff)
Actions #9

Updated by Oliver Hader about 1 year ago

Actions #10

Updated by Gerrit Code Review about 1 year ago

Patch set 14 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #11

Updated by Gerrit Code Review about 1 year ago

Patch set 15 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #12

Updated by Gerrit Code Review about 1 year ago

Patch set 16 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #13

Updated by Gerrit Code Review about 1 year ago

Patch set 17 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #14

Updated by Gerrit Code Review about 1 year ago

Patch set 18 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #15

Updated by Gerrit Code Review about 1 year ago

Patch set 19 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #16

Updated by Gerrit Code Review 12 months ago

Patch set 20 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #17

Updated by Gerrit Code Review 12 months ago

Patch set 21 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #18

Updated by Gerrit Code Review 12 months ago

Patch set 22 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #19

Updated by Gerrit Code Review 12 months ago

Patch set 23 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #20

Updated by Gerrit Code Review 12 months ago

Patch set 24 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #21

Updated by Gerrit Code Review 12 months ago

Patch set 25 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #22

Updated by Gerrit Code Review 12 months ago

Patch set 26 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #23

Updated by Gerrit Code Review 12 months ago

Patch set 27 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/77998

Actions #24

Updated by Oliver Hader 12 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #25

Updated by Oliver Hader 12 months ago

Rachel Foucard wrote in #note-4:

I also wonder if it would technically possible to get a understandable message (back or front) when a simple editor add an HTML content and get no result because of CSP? something like "This content can't be displayed because some security are blocking external urls, please ask your administrator to approve them first, blabla..."

Technically it's possible to show a dialog whenever CSP violations occur. However, it's not known and cannot be inferred what this violation causes to the visible representation. Thus, it's not known whether e.g. a site visitor tracker (Google, Matomo, ...) or a lightbox (from external CDN) has been blocked.

Actions #26

Updated by Chris Müller 12 months ago

  • Related to Task #100534: Avoid PHP deprecation in CSP report added
Actions #27

Updated by Chris Müller 12 months ago

  • Related to Task #100535: CSP module: On small browser size the UX of the details view could be improved added
Actions #28

Updated by Oliver Hader 11 months ago

  • Related to deleted (Task #100534: Avoid PHP deprecation in CSP report)
Actions #29

Updated by Chris Müller 11 months ago

  • Related to Task #100616: Add docheader buttons to CSP module added
Actions #30

Updated by Chris Müller 11 months ago

  • Related to Bug #100618: CSP module: Mute and delete of violations do not work added
Actions #31

Updated by Benni Mack about 2 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF