Important: #104549 - Introduce site-specific Content-Security-Policy-Disposition
See forge#104549
Description
The feature flags
$GLOBALS
and
$GLOBALS apply
Content-Security-Policy headers to any frontend site. The dedicated sites/<my- can now be
used as alternative to declare the desired disposition of Content- and
Content- individually.
It now is also possible, to apply both Content- and Content-
HTTP headers at the same time with different directives for a particular site. Besides that it is possible
to disable the disposition completely for a site.
The following new configuration schemes were introduced for sites/<my-:
activefor disabling CSP for a particular site, which overrules any other setting for(false) enforceorreportenforcefor compiling the(bool |disposition- array) Content-HTTP headerSecurity- Policy reportfor compiling the(bool |disposition- array) Content-HTTP headerSecurity- Policy- Report- Only
The disposition- for enforce and report allows these properties:
inheritinherits default site-unspecific frontend policy mutations (Default (bool) trueper default)includeincludes dynamic resolutions, as persisted in the database via backend module (Resolutions (bool) trueper default)mutationsdefines additional directive mutations to be applied to the specific site(mutation- item- array) packagesdefines packages/extensions whose static CSP mutations shall be dropped or included(package- item- array)
Example: Disable Content-Security-Policy
The following example would completely disable CSP for a particular site.
# `active` is enabled per default if omitted
active: falseExample: Use report disposition
The following example would dispose only Content-
for a particular site (since the enforce property is not given).
report:
# `inheritDefault` is enabled per default if omitted
inheritDefault: true
mutations:
- mode: extend
directive: img-src
sources:
- https://*.typo3.orgThe following example is equivalent to the previous, but shows that the
legacy configuration (having inherit and mutations on the top-level)
is still supported.
The effective HTTP headers would then be resolved from the active feature flags
security. and
security. - in case both flags are active,
both HTTP headers Content- and Content-
would be used.
# `inheritDefault` is enabled per default if omitted
inheritDefault: true
mutations:
- mode: extend
directive: img-src
sources:
- https://*.typo3.orgExample: Use enforce and report dispositions at the same time
The following example would dispose Content- (enforce)
and Content- (report) for a particular site.
This allows to test new CSP directives in the frontend - the example drops
the static CSP directives of the package my- in the
enforced disposition and only applies it to the reporting disposition.
enforce:
# `inheritDefault` is enabled per default if omitted
inheritDefault: true
# `includeResolutions` is enabled per default if omitted
includeResolutions: true
mutations:
- mode: extend
directive: img-src
sources:
- https://*.typo3.org
packages:
# all (`*`) packages shall be included (`true`)
'*': true
# the package `my-vendor/my-package` shall be dropped (`false`)
my-vendor/my-package: false
report:
# `inheritDefault` is enabled per default if omitted
inheritDefault: true
# `includeResolutions` is enabled per default if omitted
includeResolutions: true
mutations:
- mode: extend
directive: img-src
sources:
- https://*.my-vendor.example.org/
# the `packages` section can be omitted in this case, since all packages
# listed there shall be included - which is the default behavior in case
# `packages` would not be configured
packages:
# all (`*`) packages shall be included (`true`)
'*': true
# the package `my-vendor/my-package` shall be included (`true`)
my-vendor/my-package: true