🛠️ [TASK] Handle Content-Security-Policy headers of TYPO3 v12

[ohader]

Short description

Fully cacheable responses must avoid using Content-Security-Policy nonce values in HTTP headers and the generated HTML markup. This change adjusts the TYPO3 PolicyBehavior to aim for cacheable responses and therefore to use static hash values instead of dynamic nonce values.

Related Issues

• 389

• https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554 (required TYPO3 v12 core change)

More Details

• the configuration properties validHtaccessHeaders and validFallbackHeaders were extended by Content-Security-Policy (this has to be adjusted manually in the filesystem/settings.php of the corresponding TYPO3 instance)
• the Apache .htaccess generator was adjusted to update the reporting URI that might potentially being used the Content-Security-Policy HTTP header, e.g. the corresponding section in the generated .htaccess file would look like this

<IfModule mod_headers.c>
    Header set Content-Type "text/html; charset=utf-8"
    Header set Content-Language "en-US"
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; img-src 'self' data: *.ytimg.com *.vimeocdn.com; base-uri 'self'; frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com; style-src-elem 'self' 'sha256-2jHA7HeLLRBxTLZh3hq5WwCT4sUgYEBWVrYarn//8dA=' 'sha256-6kBl4fibHaZ3yHgzIfBZGSMc9aQsl6Qz024e1PHYzwg=' 'sha256-hsci338HivFL5/1oLdltJy0V2cnmBXK6hq9S1RmxBOI=' 'report-sample'; script-src-elem 'self' 'sha256-jFj1HeJo8v0RAIOenIw0qtV3yom5jiHWB/v7fHZSRC4=' 'sha256-MJesaYFpH4OSpy12iDLxyeIfcVYNXN8OrlRaWAY/HG8=' 'report-sample'; report-uri https://ip13.anyhost.it/@http-reporting?csp=report&requestTime=1699187708212996"
    Header edit Content-Security-Policy (@http-reporting\?csp=report&requestTime=)\d+ $1@t&%t
    Header edit Content-Security-Policy (@http-reporting\?csp=report&requestTime=)@t&t=(\d+) $1$2
    Header set X-SFC-Tags "pageId_1"
</IfModule>

[ohader]

This change contains some commits that are relevant for TYPO3 v12 only, and are unrelated to CSP. I'm not sure whether there shall be a dedicated TYPO3 v12 version of ext:staticfilecache. For instance commit 086f90c059384ef731fa6a62e7c8ab96cf0d0911 would only not work with TYPO3 v11.

Side-note: I was testing with TYPO3 v13-dev, that's why these changes were required. When just focussing on TYPO3 v12, there are not really a hard requirement. That being said, it probably would have been better to keep them in a separated pull request.

[lochmueller]

Hey @ohader looks good for me. The extension is pretty stable, and I think we could change the master to v12 & v13-dev. Could you adapt the composer.json requirements as well? Then we can merge the changes (even if the related core changes are no merged yet). Or do you suggest to wait for the core changes?! Regards, Tim

[ohader]

Sounds good. I'll continue here during the next few days. I don't see hard dependencies to those core settings.

[lochmueller]

Hey @ohader I will merge the changes and switch ore versions in the meta files in a few minutes...

[lochmueller]

https://github.com/lochmueller/staticfilecache/commit/db8a6d8b2545026356a6808356df3dfe9b958f01