Project

General

Profile

Actions

Task #95898

closed

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Extend build process to monitor Content Security Policy violations

Added by Torben Hansen over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Tests
Target version:
Start date:
2021-11-07
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

In order to actively monitor a possible introduction of new inline JavaScript in TYPO3 core, we could extend the acceptance test build process on GitLab CI as following:

  1. Extend TYPO3 instance used for acceptance tests to use a Content-Security-Policy-Report-Only header which reports violations using the report-uri directive to a known endpoint (see 2.)
  2. Add a CSP violation endpoint to TYPO3 core, which is only available when running acceptance tests (e.g. could be a dedicated package as dev dependency). The endpoint simply collects all CSP violations to a logfile.
  3. Analyze logfile for potential new CSP violations and let build step fail (or soft fail) if new CSP violations are detected
  4. On fail, save logfile as artifacts in GitLab

On a short term, this would catch possible new CSP violations for parts of TYPO3, that are currently covered by acceptance tests. On a long term, we could create new acceptance test scenarios for parts of TYPO3, that are not covered by acceptance tests.

Note: This is currently only an idea. I do not know, if we can extend the acceptance test setup as described, but in theory this should all be possible to implement.

Actions

Also available in: Atom PDF