SlideShare une entreprise Scribd logo

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

Oliver Hader
Oliver Hader

Content Security Policy (CSP) is a web security standard introduced to prevent cross-site scripting and other code injection attacks resulting from malicious content being executed in the trusted web page context. TYPO3 v12 comes with integrated CSP support, policy modeling, and violation report handling. This talk presents the basic concepts, common pitfalls, and potential solutions for using a secure and strict Content Security Policy. Talk during TYPO3 Developer Days 2023: https://t3dd23.typo3.com/program/sessions/content-security-policy-concept-strategies-pitfalls-561

Technologie
1  sur  48
Télécharger pour lire hors ligne
Content-Security-Policy Concept, Strategies, Pitfalls Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2023 August 4th, 2023
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 2 ▪Research & Development ▪TYPO3 Security Team Lead ▪50% TYPO3 GmbH / 50% Freelancer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 3 ▪ Why? ▪ Concept Introduction to Content-Security-Policy ▪ Pitfalls Examples and CSP in Action ▪ Strategies Content-Security-Policy in TYPO3 v12+ Agenda
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? cause matters 4
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 5 ▪ please, don’t publish security vulnerabilities to public channels ▪ not on GitHub/Forge ▪ not in Slack channels ▪ not on Twitter, ... ▪ report to security@typo3.org ▪ security team supports community Trigger Warning ⚠︎
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? 6 ▪ cross-site scripting & privacy concerns ▪ 2018-2023: 34 XSS vulnerabilities in TYPO3 CMS ▪ script execution / remote control via JavaScript (in the scope & with the permissions of the victim) ▪ trigger download of executable applications ▪ extract users’ details (location, IP address, session data, …) ▪ <script> | <img src=“~” onerror=“…”> | <iframe> | <style> | …
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 7 Video <script>
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 8 Video <link rel=“stylesheet”>
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Concept Content-Security- Policy 9
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 10 Content-Security-Policy as meta tag or HTTP header (preferred) Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Content-Security-Policy (CSP) 11 ▪ default-src ▪ img-src ▪ child-src ▪ frame-src ▪ script-src | style-src ▪ sandbox ▪ *-src ▪ ’none’ ▪ ’self’ ▪ *.example.org ▪ https://example.org ▪ https: | data: ▪ [script|style]-src ▪ ’unsafe-eval’ ▪ ’unsafe-inline’ ▪ ’nonce-…’ ▪ ’strict-dynamic’ directive source source
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 12 docs https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 13 script-src (CSP2) vs. script-src, script-src-elem, script-src-attr (CSP3) Content-Security-Policy (CSP) - Examples example.org ‘unsafe-inline’ script-src-elem … ‘unsafe-eval’ ‘unsafe-inline’ ‘unsafe-hashes’ script-src-elem script-src-attr script-src-elem 1 2 3 4
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 14 style-src (CSP2) vs. style-src, style-src-elem, style-src-attr (CSP3) Content-Security-Policy (CSP) - Examples style-src-elem style-src-elem style-src-attr example.org ‘unsafe-inline’ ‘unsafe-inline’ 1 2 3
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 15 Support of CSP Level 3 script-src-elem - Apple: “nope” Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 16 button clicked, script execution blocked Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 17 button clicked, ‘unsafe-inline’ script executed Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 18 button clicked, ‘unsafe-hashes’ script executed Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 19 HTML on typo3v12, loads from hacko3v12, loads from other3v12 Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 20 loaded from typo3v12, hacko3v12, other3v12, blocked eval Content-Security-Policy (CSP) - external scripts example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 21 allow loading all scripts via ‘strict-dynamic’ when nonce is given Content-Security-Policy (CSP) - external scripts example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 22 ‘strict-dynamic’ works when using DOM-API ✅ - denied for “parser-inserted” script ❌ Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js ✅ ❌ ✅
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 23 Support of CSP Level 3 strict-dynamic - Apple: “yepp” Content-Security-Policy (CSP)
Content-Security-Policy (CSP) - CSP Simulator ▪ github.com/ohader/csp-simulator ▪ Content-Security-Policy Simulator ▪ HTTP man-in-the-middle proxy ▪ for arbitrary websites 24 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Strategies The TYPO3 POV 25
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org TYPO3 and CSP 26 ▪ general: prevention & detection strategy ▪ provide tools/APIs, suggestions, advisories ▪ Content-Security-Policy to mitigate XSS vulnerabilities ▪ with TYPO3 v12: available, but not enforced ▪ with TYPO3 v13: plans, to enable CSP per default ▪ listen & incorporate community feedback & experience
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 27 Dedicated feature flag scopes (backend, frontend, frontend & site) TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 28 Excerpt of CSP “Policy” models, directives, sources, … TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 29 Static CSP declaration for extensions in PHP or site config TYPO3 and CSP
TYPO3 and CSP ▪ “nonce” = number used once(!) (must be random, not predictable) ▪ nonce value added automatically for static(!) files in PageRender ▪ nonce value added for inline scripts and styles when explicitly requested, in PageRenderer and AssetCollector ▪ (incl. Fluid view helpers) 30 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 31 CSP reporting backend module TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 32 CSP reporting backend module & applying “resolutions” TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 33 Individual CSP violation handlers, suggesting “resolutions” TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 34 CSP HTTP header for backend requests TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 35 Manually triggered CSP violation (eval) TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 36 CSP violation sent back to TYPO3 reporting endpoint TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 37 CSP violation sent back to TYPO3 reporting endpoint
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Pitfalls observations 38
Pitfalls ▪ […] ’unsafe-inline’ is ignored if either a hash or nonce value is present […] ▪ same for style-src ▪ (TYPO3 is prepared to add nonce values everywhere*) 39 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 40 Google’s Suggestion on Integrating Google Maps Pitfalls ❌ CSP Level 3 CSP Level 2
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 41 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 42 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 43 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ Google Translate proxies site ▪ request was actually blocked 44 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ something™ changes base-uri ▪ <base href=“https://h4ck3r.org”> ▪ CSP: base-uri ‘none’ | ‘self’ 45 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 46
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 47 ▪ unfinished CSP Level 3 (draft) vs CSP Level 2 (2016) ▪ painful backward compatibility & open questions ▪ somewhere in between max. convenience & max. security ▪ please enable CSP in TYPO3 v12 (backend, maybe frontend) ▪ report your findings & feedback to https://forge.typo3.org
thanks! questions? 48

Recommandé

Cybersecurity - Webinar Session
Cybersecurity - Webinar SessionCybersecurity - Webinar Session
Cybersecurity - Webinar SessionKalilur Rahman
 
5 biggest cyber attacks and most famous hackers
5 biggest cyber attacks and most famous hackers5 biggest cyber attacks and most famous hackers
5 biggest cyber attacks and most famous hackersRoman Antonov
 
Pyshark in Network Packet analysis
Pyshark in Network Packet analysisPyshark in Network Packet analysis
Pyshark in Network Packet analysisRengaraj D
 
Les principales failles de sécurité des applications web actuelles
Les principales failles de sécurité des applications web actuellesLes principales failles de sécurité des applications web actuelles
Les principales failles de sécurité des applications web actuellesBee_Ware
 
Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Oliver Hader
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Oliver Hader
 
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdfCloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdfInfosec Train
 
SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsOliver Hader
 

Recommandé

Cybersecurity - Webinar Session
Cybersecurity - Webinar SessionCybersecurity - Webinar Session
Cybersecurity - Webinar SessionKalilur Rahman
 
5 biggest cyber attacks and most famous hackers
5 biggest cyber attacks and most famous hackers5 biggest cyber attacks and most famous hackers
5 biggest cyber attacks and most famous hackersRoman Antonov
 
Pyshark in Network Packet analysis
Pyshark in Network Packet analysisPyshark in Network Packet analysis
Pyshark in Network Packet analysisRengaraj D
 
Les principales failles de sécurité des applications web actuelles
Les principales failles de sécurité des applications web actuellesLes principales failles de sécurité des applications web actuelles
Les principales failles de sécurité des applications web actuellesBee_Ware
 
Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Oliver Hader
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Oliver Hader
 
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdfCloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdfInfosec Train
 
SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsOliver Hader
 
What's new in Reactor Californium
What's new in Reactor CaliforniumWhat's new in Reactor Californium
What's new in Reactor CaliforniumStéphane Maldini
 
May 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarMay 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarRobert Crane
 
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview Richard Platt
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniVMware Tanzu
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)Chanaka Lasantha
 
Spring Cloud Gateway
Spring Cloud GatewaySpring Cloud Gateway
Spring Cloud GatewayStéphane Maldini
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
 
S1P: Spring Cloud on PKS
S1P: Spring Cloud on PKSS1P: Spring Cloud on PKS
S1P: Spring Cloud on PKSMauricio (Salaboy) Salatino
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Abhik Roychoudhury
 
Building Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with GeodeBuilding Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with GeodeVMware Tanzu
 
Securing Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime TherapeuticsSecuring Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime TherapeuticsVMware Tanzu
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPiotr Dyba
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetChristian Folini
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinChristian Deger
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott AndrewsVMware Tanzu
 
Get into MBSE-MBSA process with a dedicated toolchain
Get into MBSE-MBSA process with a dedicated toolchainGet into MBSE-MBSA process with a dedicated toolchain
Get into MBSE-MBSA process with a dedicated toolchainObeo
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023Shane Coughlan
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSPMuneaki Nishimura
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9Oliver Hader
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"Oliver Hader
 

Contenu connexe

Similaire à T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

What's new in Reactor Californium
What's new in Reactor CaliforniumWhat's new in Reactor Californium
What's new in Reactor CaliforniumStéphane Maldini
 
May 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarMay 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarRobert Crane
 
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview Richard Platt
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniVMware Tanzu
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)Chanaka Lasantha
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Abhik Roychoudhury
 
Building Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with GeodeBuilding Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with GeodeVMware Tanzu
 
Securing Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime TherapeuticsSecuring Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime TherapeuticsVMware Tanzu
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPiotr Dyba
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetChristian Folini
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinChristian Deger
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott AndrewsVMware Tanzu
 
Get into MBSE-MBSA process with a dedicated toolchain
Get into MBSE-MBSA process with a dedicated toolchainGet into MBSE-MBSA process with a dedicated toolchain
Get into MBSE-MBSA process with a dedicated toolchainObeo
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023Shane Coughlan
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSPMuneaki Nishimura
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 

Similaire à T3DD23 Content Security Policy - Concept, Strategies & Pitfalls (20)

What's new in Reactor Californium
What's new in Reactor CaliforniumWhat's new in Reactor Californium
What's new in Reactor Californium
 
May 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarMay 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know Webinar
 
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane Maldini
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
 
Spring Cloud Gateway
Spring Cloud GatewaySpring Cloud Gateway
Spring Cloud Gateway
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
 
S1P: Spring Cloud on PKS
S1P: Spring Cloud on PKSS1P: Spring Cloud on PKS
S1P: Spring Cloud on PKS
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020
 
Building Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with GeodeBuilding Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with Geode
 
Securing Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime TherapeuticsSecuring Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime Therapeutics
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: security
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule Set
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott Andrews
 
Get into MBSE-MBSA process with a dedicated toolchain
Get into MBSE-MBSA process with a dedicated toolchainGet into MBSE-MBSA process with a dedicated toolchain
Get into MBSE-MBSA process with a dedicated toolchain
 
OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023OpenChain Mini-Summit May 2023
OpenChain Mini-Summit May 2023
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 

Plus de Oliver Hader

TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"Oliver Hader
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)Oliver Hader
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event SourcingOliver Hader
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage DevelopmentOliver Hader
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Oliver Hader
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSOliver Hader
 
Web application security
Web application securityWeb application security
Web application securityOliver Hader
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMSOliver Hader
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamOliver Hader
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0Oliver Hader
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)Oliver Hader
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7Oliver Hader
 

Plus de Oliver Hader (15)

Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event Sourcing
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage Development
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
 
Web Components
Web ComponentsWeb Components
Web Components
 
Web application security
Web application securityWeb application security
Web application security
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMS
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
 

Dernier

Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 

Dernier (20)

Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

  • 1. Content-Security-Policy Concept, Strategies, Pitfalls Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2023 August 4th, 2023
  • 2. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 2 ▪Research & Development ▪TYPO3 Security Team Lead ▪50% TYPO3 GmbH / 50% Freelancer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
  • 3. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 3 ▪ Why? ▪ Concept Introduction to Content-Security-Policy ▪ Pitfalls Examples and CSP in Action ▪ Strategies Content-Security-Policy in TYPO3 v12+ Agenda
  • 4. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? cause matters 4
  • 5. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 5 ▪ please, don’t publish security vulnerabilities to public channels ▪ not on GitHub/Forge ▪ not in Slack channels ▪ not on Twitter, ... ▪ report to security@typo3.org ▪ security team supports community Trigger Warning ⚠︎
  • 6. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? 6 ▪ cross-site scripting & privacy concerns ▪ 2018-2023: 34 XSS vulnerabilities in TYPO3 CMS ▪ script execution / remote control via JavaScript (in the scope & with the permissions of the victim) ▪ trigger download of executable applications ▪ extract users’ details (location, IP address, session data, …) ▪ <script> | <img src=“~” onerror=“…”> | <iframe> | <style> | …
  • 7. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 7 Video <script>
  • 8. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 8 Video <link rel=“stylesheet”>
  • 9. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Concept Content-Security- Policy 9
  • 10. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 10 Content-Security-Policy as meta tag or HTTP header (preferred) Content-Security-Policy (CSP)
  • 11. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Content-Security-Policy (CSP) 11 ▪ default-src ▪ img-src ▪ child-src ▪ frame-src ▪ script-src | style-src ▪ sandbox ▪ *-src ▪ ’none’ ▪ ’self’ ▪ *.example.org ▪ https://example.org ▪ https: | data: ▪ [script|style]-src ▪ ’unsafe-eval’ ▪ ’unsafe-inline’ ▪ ’nonce-…’ ▪ ’strict-dynamic’ directive source source
  • 12. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 12 docs https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy (CSP)
  • 13. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 13 script-src (CSP2) vs. script-src, script-src-elem, script-src-attr (CSP3) Content-Security-Policy (CSP) - Examples example.org ‘unsafe-inline’ script-src-elem … ‘unsafe-eval’ ‘unsafe-inline’ ‘unsafe-hashes’ script-src-elem script-src-attr script-src-elem 1 2 3 4
  • 14. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 14 style-src (CSP2) vs. style-src, style-src-elem, style-src-attr (CSP3) Content-Security-Policy (CSP) - Examples style-src-elem style-src-elem style-src-attr example.org ‘unsafe-inline’ ‘unsafe-inline’ 1 2 3
  • 15. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 15 Support of CSP Level 3 script-src-elem - Apple: “nope” Content-Security-Policy (CSP)
  • 16. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 16 button clicked, script execution blocked Content-Security-Policy (CSP) - onclick example
  • 17. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 17 button clicked, ‘unsafe-inline’ script executed Content-Security-Policy (CSP) - onclick example
  • 18. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 18 button clicked, ‘unsafe-hashes’ script executed Content-Security-Policy (CSP) - onclick example
  • 19. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 19 HTML on typo3v12, loads from hacko3v12, loads from other3v12 Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js
  • 20. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 20 loaded from typo3v12, hacko3v12, other3v12, blocked eval Content-Security-Policy (CSP) - external scripts example
  • 21. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 21 allow loading all scripts via ‘strict-dynamic’ when nonce is given Content-Security-Policy (CSP) - external scripts example
  • 22. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 22 ‘strict-dynamic’ works when using DOM-API ✅ - denied for “parser-inserted” script ❌ Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js ✅ ❌ ✅
  • 23. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 23 Support of CSP Level 3 strict-dynamic - Apple: “yepp” Content-Security-Policy (CSP)
  • 24. Content-Security-Policy (CSP) - CSP Simulator ▪ github.com/ohader/csp-simulator ▪ Content-Security-Policy Simulator ▪ HTTP man-in-the-middle proxy ▪ for arbitrary websites 24 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 25. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Strategies The TYPO3 POV 25
  • 26. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org TYPO3 and CSP 26 ▪ general: prevention & detection strategy ▪ provide tools/APIs, suggestions, advisories ▪ Content-Security-Policy to mitigate XSS vulnerabilities ▪ with TYPO3 v12: available, but not enforced ▪ with TYPO3 v13: plans, to enable CSP per default ▪ listen & incorporate community feedback & experience
  • 27. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 27 Dedicated feature flag scopes (backend, frontend, frontend & site) TYPO3 and CSP
  • 28. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 28 Excerpt of CSP “Policy” models, directives, sources, … TYPO3 and CSP
  • 29. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 29 Static CSP declaration for extensions in PHP or site config TYPO3 and CSP
  • 30. TYPO3 and CSP ▪ “nonce” = number used once(!) (must be random, not predictable) ▪ nonce value added automatically for static(!) files in PageRender ▪ nonce value added for inline scripts and styles when explicitly requested, in PageRenderer and AssetCollector ▪ (incl. Fluid view helpers) 30 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 31. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 31 CSP reporting backend module TYPO3 and CSP
  • 32. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 32 CSP reporting backend module & applying “resolutions” TYPO3 and CSP
  • 33. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 33 Individual CSP violation handlers, suggesting “resolutions” TYPO3 and CSP
  • 34. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 34 CSP HTTP header for backend requests TYPO3 and CSP
  • 35. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 35 Manually triggered CSP violation (eval) TYPO3 and CSP
  • 36. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 36 CSP violation sent back to TYPO3 reporting endpoint TYPO3 and CSP
  • 37. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 37 CSP violation sent back to TYPO3 reporting endpoint
  • 38. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Pitfalls observations 38
  • 39. Pitfalls ▪ […] ’unsafe-inline’ is ignored if either a hash or nonce value is present […] ▪ same for style-src ▪ (TYPO3 is prepared to add nonce values everywhere*) 39 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 40. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 40 Google’s Suggestion on Integrating Google Maps Pitfalls ❌ CSP Level 3 CSP Level 2
  • 41. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 41 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 42. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 42 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 43. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 43 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 44. Pitfalls ▪ Google Translate proxies site ▪ request was actually blocked 44 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 45. Pitfalls ▪ something™ changes base-uri ▪ <base href=“https://h4ck3r.org”> ▪ CSP: base-uri ‘none’ | ‘self’ 45 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 46. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 46
  • 47. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 47 ▪ unfinished CSP Level 3 (draft) vs CSP Level 2 (2016) ▪ painful backward compatibility & open questions ▪ somewhere in between max. convenience & max. security ▪ please enable CSP in TYPO3 v12 (backend, maybe frontend) ▪ report your findings & feedback to https://forge.typo3.org