Task #95898

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Extend build process to monitor Content Security Policy violations

Added by Torben Hansen 6 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Should have
Assignee:
-
Category:
Tests
Target version:
Start date:
2021-11-07
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

In order to actively monitor a possible introduction of new inline JavaScript in TYPO3 core, we could extend the acceptance test build process on GitLab CI as following:

  1. Extend TYPO3 instance used for acceptance tests to use a Content-Security-Policy-Report-Only header which reports violations using the report-uri directive to a known endpoint (see 2.)
  2. Add a CSP violation endpoint to TYPO3 core, which is only available when running acceptance tests (e.g. could be a dedicated package as dev dependency). The endpoint simply collects all CSP violations to a logfile.
  3. Analyze logfile for potential new CSP violations and let build step fail (or soft fail) if new CSP violations are detected
  4. On fail, save logfile as artifacts in GitLab

On a short term, this would catch possible new CSP violations for parts of TYPO3, that are currently covered by acceptance tests. On a long term, we could create new acceptance test scenarios for parts of TYPO3, that are not covered by acceptance tests.

Note: This is currently only an idea. I do not know, if we can extend the acceptance test setup as described, but in theory this should all be possible to implement.

#1

Updated by Torben Hansen 6 months ago

  • Parent task set to #87417
#2

Updated by Oliver Hader 6 months ago

PoC and current CSP violations in acceptance tests: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72137

#3

Updated by Oliver Hader 6 months ago

  • Status changed from New to Accepted
#4

Updated by Oliver Hader 6 months ago

  • Target version set to 12 LTS
#5

Updated by Gerrit Code Review 6 months ago

  • Status changed from Accepted to Under Review

Patch set 7 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72137

#6

Updated by Gerrit Code Review 6 months ago

Patch set 8 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72137

#7

Updated by Gerrit Code Review 6 months ago

Patch set 9 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72137

#8

Updated by Gerrit Code Review 6 months ago

Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72385

#9

Updated by Oliver Hader 6 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF