SlideShare une entreprise Scribd logo

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

Oliver Hader
Oliver Hader

Content Security Policy (CSP) is a web security standard introduced to prevent cross-site scripting and other code injection attacks resulting from malicious content being executed in the trusted web page context. TYPO3 v12 comes with integrated CSP support, policy modeling, and violation report handling. This talk presents the basic concepts, common pitfalls, and potential solutions for using a secure and strict Content Security Policy. Talk during TYPO3 Developer Days 2023: https://t3dd23.typo3.com/program/sessions/content-security-policy-concept-strategies-pitfalls-561

Technologie
1  sur  48
Télécharger pour lire hors ligne
Content-Security-Policy Concept, Strategies, Pitfalls Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2023 August 4th, 2023
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 2 ▪Research & Development ▪TYPO3 Security Team Lead ▪50% TYPO3 GmbH / 50% Freelancer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 3 ▪ Why? ▪ Concept Introduction to Content-Security-Policy ▪ Pitfalls Examples and CSP in Action ▪ Strategies Content-Security-Policy in TYPO3 v12+ Agenda
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? cause matters 4
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 5 ▪ please, don’t publish security vulnerabilities to public channels ▪ not on GitHub/Forge ▪ not in Slack channels ▪ not on Twitter, ... ▪ report to security@typo3.org ▪ security team supports community Trigger Warning ⚠︎
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? 6 ▪ cross-site scripting & privacy concerns ▪ 2018-2023: 34 XSS vulnerabilities in TYPO3 CMS ▪ script execution / remote control via JavaScript (in the scope & with the permissions of the victim) ▪ trigger download of executable applications ▪ extract users’ details (location, IP address, session data, …) ▪ <script> | <img src=“~” onerror=“…”> | <iframe> | <style> | …
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 7 Video <script>
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 8 Video <link rel=“stylesheet”>
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Concept Content-Security- Policy 9
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 10 Content-Security-Policy as meta tag or HTTP header (preferred) Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Content-Security-Policy (CSP) 11 ▪ default-src ▪ img-src ▪ child-src ▪ frame-src ▪ script-src | style-src ▪ sandbox ▪ *-src ▪ ’none’ ▪ ’self’ ▪ *.example.org ▪ https://example.org ▪ https: | data: ▪ [script|style]-src ▪ ’unsafe-eval’ ▪ ’unsafe-inline’ ▪ ’nonce-…’ ▪ ’strict-dynamic’ directive source source
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 12 docs https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 13 script-src (CSP2) vs. script-src, script-src-elem, script-src-attr (CSP3) Content-Security-Policy (CSP) - Examples example.org ‘unsafe-inline’ script-src-elem … ‘unsafe-eval’ ‘unsafe-inline’ ‘unsafe-hashes’ script-src-elem script-src-attr script-src-elem 1 2 3 4
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 14 style-src (CSP2) vs. style-src, style-src-elem, style-src-attr (CSP3) Content-Security-Policy (CSP) - Examples style-src-elem style-src-elem style-src-attr example.org ‘unsafe-inline’ ‘unsafe-inline’ 1 2 3
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 15 Support of CSP Level 3 script-src-elem - Apple: “nope” Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 16 button clicked, script execution blocked Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 17 button clicked, ‘unsafe-inline’ script executed Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 18 button clicked, ‘unsafe-hashes’ script executed Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 19 HTML on typo3v12, loads from hacko3v12, loads from other3v12 Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 20 loaded from typo3v12, hacko3v12, other3v12, blocked eval Content-Security-Policy (CSP) - external scripts example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 21 allow loading all scripts via ‘strict-dynamic’ when nonce is given Content-Security-Policy (CSP) - external scripts example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 22 ‘strict-dynamic’ works when using DOM-API ✅ - denied for “parser-inserted” script ❌ Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js ✅ ❌ ✅
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 23 Support of CSP Level 3 strict-dynamic - Apple: “yepp” Content-Security-Policy (CSP)
Content-Security-Policy (CSP) - CSP Simulator ▪ github.com/ohader/csp-simulator ▪ Content-Security-Policy Simulator ▪ HTTP man-in-the-middle proxy ▪ for arbitrary websites 24 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Strategies The TYPO3 POV 25
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org TYPO3 and CSP 26 ▪ general: prevention & detection strategy ▪ provide tools/APIs, suggestions, advisories ▪ Content-Security-Policy to mitigate XSS vulnerabilities ▪ with TYPO3 v12: available, but not enforced ▪ with TYPO3 v13: plans, to enable CSP per default ▪ listen & incorporate community feedback & experience
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 27 Dedicated feature flag scopes (backend, frontend, frontend & site) TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 28 Excerpt of CSP “Policy” models, directives, sources, … TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 29 Static CSP declaration for extensions in PHP or site config TYPO3 and CSP
TYPO3 and CSP ▪ “nonce” = number used once(!) (must be random, not predictable) ▪ nonce value added automatically for static(!) files in PageRender ▪ nonce value added for inline scripts and styles when explicitly requested, in PageRenderer and AssetCollector ▪ (incl. Fluid view helpers) 30 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 31 CSP reporting backend module TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 32 CSP reporting backend module & applying “resolutions” TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 33 Individual CSP violation handlers, suggesting “resolutions” TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 34 CSP HTTP header for backend requests TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 35 Manually triggered CSP violation (eval) TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 36 CSP violation sent back to TYPO3 reporting endpoint TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 37 CSP violation sent back to TYPO3 reporting endpoint
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Pitfalls observations 38
Pitfalls ▪ […] ’unsafe-inline’ is ignored if either a hash or nonce value is present […] ▪ same for style-src ▪ (TYPO3 is prepared to add nonce values everywhere*) 39 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 40 Google’s Suggestion on Integrating Google Maps Pitfalls ❌ CSP Level 3 CSP Level 2
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 41 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 42 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 43 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ Google Translate proxies site ▪ request was actually blocked 44 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ something™ changes base-uri ▪ <base href=“https://h4ck3r.org”> ▪ CSP: base-uri ‘none’ | ‘self’ 45 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 46
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 47 ▪ unfinished CSP Level 3 (draft) vs CSP Level 2 (2016) ▪ painful backward compatibility & open questions ▪ somewhere in between max. convenience & max. security ▪ please enable CSP in TYPO3 v12 (backend, maybe frontend) ▪ report your findings & feedback to https://forge.typo3.org
thanks! questions? 48

Recommandé

Cassandra Summit 2014: CQL Under the Hood
Cassandra Summit 2014: CQL Under the HoodCassandra Summit 2014: CQL Under the Hood
Cassandra Summit 2014: CQL Under the Hood
DataStax Academy
 
Apache Hadoop 3
Apache Hadoop 3Apache Hadoop 3
Apache Hadoop 3
Cloudera, Inc.
 
Linux Network Management
Linux Network ManagementLinux Network Management
Linux Network Management
Anil Kumar Pugalia
 
Log Structured Merge Tree
Log Structured Merge TreeLog Structured Merge Tree
Log Structured Merge Tree
University of California, Santa Cruz
 
Achieving HBase Multi-Tenancy with RegionServer Groups and Favored Nodes
Achieving HBase Multi-Tenancy with RegionServer Groups and Favored NodesAchieving HBase Multi-Tenancy with RegionServer Groups and Favored Nodes
Achieving HBase Multi-Tenancy with RegionServer Groups and Favored Nodes
DataWorks Summit
 
The PostgreSQL Query Planner
The PostgreSQL Query PlannerThe PostgreSQL Query Planner
The PostgreSQL Query Planner
Command Prompt., Inc
 
About Me PowerPoint Presentation
About Me PowerPoint PresentationAbout Me PowerPoint Presentation
About Me PowerPoint Presentation
Leah Stensland
 
Scylla Summit 2022: Scylla 5.0 New Features, Part 1
Scylla Summit 2022: Scylla 5.0 New Features, Part 1Scylla Summit 2022: Scylla 5.0 New Features, Part 1
Scylla Summit 2022: Scylla 5.0 New Features, Part 1
ScyllaDB
 

Recommandé

Cassandra Summit 2014: CQL Under the Hood
Cassandra Summit 2014: CQL Under the HoodCassandra Summit 2014: CQL Under the Hood
Cassandra Summit 2014: CQL Under the Hood
DataStax Academy
 
Apache Hadoop 3
Apache Hadoop 3Apache Hadoop 3
Apache Hadoop 3
Cloudera, Inc.
 
Linux Network Management
Linux Network ManagementLinux Network Management
Linux Network Management
Anil Kumar Pugalia
 
Log Structured Merge Tree
Log Structured Merge TreeLog Structured Merge Tree
Log Structured Merge Tree
University of California, Santa Cruz
 
Achieving HBase Multi-Tenancy with RegionServer Groups and Favored Nodes
Achieving HBase Multi-Tenancy with RegionServer Groups and Favored NodesAchieving HBase Multi-Tenancy with RegionServer Groups and Favored Nodes
Achieving HBase Multi-Tenancy with RegionServer Groups and Favored Nodes
DataWorks Summit
 
The PostgreSQL Query Planner
The PostgreSQL Query PlannerThe PostgreSQL Query Planner
The PostgreSQL Query Planner
Command Prompt., Inc
 
About Me PowerPoint Presentation
About Me PowerPoint PresentationAbout Me PowerPoint Presentation
About Me PowerPoint Presentation
Leah Stensland
 
Scylla Summit 2022: Scylla 5.0 New Features, Part 1
Scylla Summit 2022: Scylla 5.0 New Features, Part 1Scylla Summit 2022: Scylla 5.0 New Features, Part 1
Scylla Summit 2022: Scylla 5.0 New Features, Part 1
ScyllaDB
 
Graph Computing with JanusGraph
Graph Computing with JanusGraphGraph Computing with JanusGraph
Graph Computing with JanusGraph
Jason Plurad
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
EDB
 
.Net debugging 2017
.Net debugging 2017.Net debugging 2017
.Net debugging 2017
Tess Ferrandez
 
5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance
Command Prompt., Inc
 
Migrating from InnoDB and HBase to MyRocks at Facebook
Migrating from InnoDB and HBase to MyRocks at FacebookMigrating from InnoDB and HBase to MyRocks at Facebook
Migrating from InnoDB and HBase to MyRocks at Facebook
MariaDB plc
 
Introducción a los Sistemas Operativos II PARTE
Introducción a los Sistemas Operativos II PARTEIntroducción a los Sistemas Operativos II PARTE
Introducción a los Sistemas Operativos II PARTE
JOSE ALBERTO DIAZ GARCIA
 
PostgreSQL and RAM usage
PostgreSQL and RAM usagePostgreSQL and RAM usage
PostgreSQL and RAM usage
Alexey Bashtanov
 
Clickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek VavrusaClickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek Vavrusa
Altinity Ltd
 
Postgre sql best_practices
Postgre sql best_practicesPostgre sql best_practices
Postgre sql best_practices
Emiliano Fusaglia
 
pgBackRest - pgday.fr
pgBackRest - pgday.frpgBackRest - pgday.fr
pgBackRest - pgday.fr
slardiere
 
RocksDB Performance and Reliability Practices
RocksDB Performance and Reliability PracticesRocksDB Performance and Reliability Practices
RocksDB Performance and Reliability Practices
Yoshinori Matsunobu
 
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS Video
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS VideoAWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS Video
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS Video
Amazon Web Services
 
Meetup - Brasil - Data In Motion - 2023 September 19
Meetup - Brasil - Data In Motion - 2023 September 19Meetup - Brasil - Data In Motion - 2023 September 19
Meetup - Brasil - Data In Motion - 2023 September 19
Timothy Spann
 
Real Time Processing Using Twitter Heron by Karthik Ramasamy
Real Time Processing Using Twitter Heron by Karthik RamasamyReal Time Processing Using Twitter Heron by Karthik Ramasamy
Real Time Processing Using Twitter Heron by Karthik Ramasamy
Data Con LA
 
Common Strategies for Improving Performance on Your Delta Lakehouse
Common Strategies for Improving Performance on Your Delta LakehouseCommon Strategies for Improving Performance on Your Delta Lakehouse
Common Strategies for Improving Performance on Your Delta Lakehouse
Databricks
 
[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?
Worteks
 
PostgreSQL worst practices, version PGConf.US 2017 by Ilya Kosmodemiansky
PostgreSQL worst practices, version PGConf.US 2017 by Ilya KosmodemianskyPostgreSQL worst practices, version PGConf.US 2017 by Ilya Kosmodemiansky
PostgreSQL worst practices, version PGConf.US 2017 by Ilya Kosmodemiansky
PostgreSQL-Consulting
 
Performance Troubleshooting Using Apache Spark Metrics
Performance Troubleshooting Using Apache Spark MetricsPerformance Troubleshooting Using Apache Spark Metrics
Performance Troubleshooting Using Apache Spark Metrics
Databricks
 
Webinar: When to Use MongoDB
Webinar: When to Use MongoDBWebinar: When to Use MongoDB
Webinar: When to Use MongoDB
MongoDB
 
facebook architecture for 600M users
facebook architecture for 600M usersfacebook architecture for 600M users
facebook architecture for 600M users
Jongyoon Choi
 
Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)
Oliver Hader
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)
Oliver Hader
 

Contenu connexe

Tendances

Introducción a los Sistemas Operativos II PARTE
Introducción a los Sistemas Operativos II PARTEIntroducción a los Sistemas Operativos II PARTE
Introducción a los Sistemas Operativos II PARTE
JOSE ALBERTO DIAZ GARCIA
 
Meetup - Brasil - Data In Motion - 2023 September 19
Meetup - Brasil - Data In Motion - 2023 September 19Meetup - Brasil - Data In Motion - 2023 September 19
Meetup - Brasil - Data In Motion - 2023 September 19
Timothy Spann
 
Real Time Processing Using Twitter Heron by Karthik Ramasamy
Real Time Processing Using Twitter Heron by Karthik RamasamyReal Time Processing Using Twitter Heron by Karthik Ramasamy
Real Time Processing Using Twitter Heron by Karthik Ramasamy
Data Con LA
 
Performance Troubleshooting Using Apache Spark Metrics
Performance Troubleshooting Using Apache Spark MetricsPerformance Troubleshooting Using Apache Spark Metrics
Performance Troubleshooting Using Apache Spark Metrics
Databricks
 

Tendances (20)

Graph Computing with JanusGraph
Graph Computing with JanusGraphGraph Computing with JanusGraph
Graph Computing with JanusGraph
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
 
.Net debugging 2017
.Net debugging 2017.Net debugging 2017
.Net debugging 2017
 
5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance
 
Migrating from InnoDB and HBase to MyRocks at Facebook
Migrating from InnoDB and HBase to MyRocks at FacebookMigrating from InnoDB and HBase to MyRocks at Facebook
Migrating from InnoDB and HBase to MyRocks at Facebook
 
Introducción a los Sistemas Operativos II PARTE
Introducción a los Sistemas Operativos II PARTEIntroducción a los Sistemas Operativos II PARTE
Introducción a los Sistemas Operativos II PARTE
 
PostgreSQL and RAM usage
PostgreSQL and RAM usagePostgreSQL and RAM usage
PostgreSQL and RAM usage
 
Clickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek VavrusaClickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek Vavrusa
 
Postgre sql best_practices
Postgre sql best_practicesPostgre sql best_practices
Postgre sql best_practices
 
pgBackRest - pgday.fr
pgBackRest - pgday.frpgBackRest - pgday.fr
pgBackRest - pgday.fr
 
RocksDB Performance and Reliability Practices
RocksDB Performance and Reliability PracticesRocksDB Performance and Reliability Practices
RocksDB Performance and Reliability Practices
 
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS Video
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS VideoAWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS Video
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS Video
 
Meetup - Brasil - Data In Motion - 2023 September 19
Meetup - Brasil - Data In Motion - 2023 September 19Meetup - Brasil - Data In Motion - 2023 September 19
Meetup - Brasil - Data In Motion - 2023 September 19
 
Real Time Processing Using Twitter Heron by Karthik Ramasamy
Real Time Processing Using Twitter Heron by Karthik RamasamyReal Time Processing Using Twitter Heron by Karthik Ramasamy
Real Time Processing Using Twitter Heron by Karthik Ramasamy
 
Common Strategies for Improving Performance on Your Delta Lakehouse
Common Strategies for Improving Performance on Your Delta LakehouseCommon Strategies for Improving Performance on Your Delta Lakehouse
Common Strategies for Improving Performance on Your Delta Lakehouse
 
[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?
 
PostgreSQL worst practices, version PGConf.US 2017 by Ilya Kosmodemiansky
PostgreSQL worst practices, version PGConf.US 2017 by Ilya KosmodemianskyPostgreSQL worst practices, version PGConf.US 2017 by Ilya Kosmodemiansky
PostgreSQL worst practices, version PGConf.US 2017 by Ilya Kosmodemiansky
 
Performance Troubleshooting Using Apache Spark Metrics
Performance Troubleshooting Using Apache Spark MetricsPerformance Troubleshooting Using Apache Spark Metrics
Performance Troubleshooting Using Apache Spark Metrics
 
Webinar: When to Use MongoDB
Webinar: When to Use MongoDBWebinar: When to Use MongoDB
Webinar: When to Use MongoDB
 
facebook architecture for 600M users
facebook architecture for 600M usersfacebook architecture for 600M users
facebook architecture for 600M users
 

Similaire à T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
Christian Deger
 

Similaire à T3DD23 Content Security Policy - Concept, Strategies & Pitfalls (20)

Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)
 
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdfCloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
 
SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 Extensions
 
What's new in Reactor Californium
What's new in Reactor CaliforniumWhat's new in Reactor Californium
What's new in Reactor Californium
 
May 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarMay 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know Webinar
 
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane Maldini
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
 
Spring Cloud Gateway
Spring Cloud GatewaySpring Cloud Gateway
Spring Cloud Gateway
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
 
S1P: Spring Cloud on PKS
S1P: Spring Cloud on PKSS1P: Spring Cloud on PKS
S1P: Spring Cloud on PKS
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020
 
Building Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with GeodeBuilding Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with Geode
 
Securing Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime TherapeuticsSecuring Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime Therapeutics
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: security
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule Set
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott Andrews
 

Plus de Oliver Hader

TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
Oliver Hader
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Oliver Hader
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0
Oliver Hader
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
Oliver Hader
 

Plus de Oliver Hader (15)

Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event Sourcing
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage Development
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
 
Web Components
Web ComponentsWeb Components
Web Components
 
Web application security
Web application securityWeb application security
Web application security
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMS
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
 

Dernier

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 

Dernier (20)

10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

  • 1. Content-Security-Policy Concept, Strategies, Pitfalls Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2023 August 4th, 2023
  • 2. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 2 ▪Research & Development ▪TYPO3 Security Team Lead ▪50% TYPO3 GmbH / 50% Freelancer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
  • 3. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 3 ▪ Why? ▪ Concept Introduction to Content-Security-Policy ▪ Pitfalls Examples and CSP in Action ▪ Strategies Content-Security-Policy in TYPO3 v12+ Agenda
  • 4. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? cause matters 4
  • 5. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 5 ▪ please, don’t publish security vulnerabilities to public channels ▪ not on GitHub/Forge ▪ not in Slack channels ▪ not on Twitter, ... ▪ report to security@typo3.org ▪ security team supports community Trigger Warning ⚠︎
  • 6. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? 6 ▪ cross-site scripting & privacy concerns ▪ 2018-2023: 34 XSS vulnerabilities in TYPO3 CMS ▪ script execution / remote control via JavaScript (in the scope & with the permissions of the victim) ▪ trigger download of executable applications ▪ extract users’ details (location, IP address, session data, …) ▪ <script> | <img src=“~” onerror=“…”> | <iframe> | <style> | …
  • 7. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 7 Video <script>
  • 8. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 8 Video <link rel=“stylesheet”>
  • 9. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Concept Content-Security- Policy 9
  • 10. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 10 Content-Security-Policy as meta tag or HTTP header (preferred) Content-Security-Policy (CSP)
  • 11. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Content-Security-Policy (CSP) 11 ▪ default-src ▪ img-src ▪ child-src ▪ frame-src ▪ script-src | style-src ▪ sandbox ▪ *-src ▪ ’none’ ▪ ’self’ ▪ *.example.org ▪ https://example.org ▪ https: | data: ▪ [script|style]-src ▪ ’unsafe-eval’ ▪ ’unsafe-inline’ ▪ ’nonce-…’ ▪ ’strict-dynamic’ directive source source
  • 12. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 12 docs https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy (CSP)
  • 13. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 13 script-src (CSP2) vs. script-src, script-src-elem, script-src-attr (CSP3) Content-Security-Policy (CSP) - Examples example.org ‘unsafe-inline’ script-src-elem … ‘unsafe-eval’ ‘unsafe-inline’ ‘unsafe-hashes’ script-src-elem script-src-attr script-src-elem 1 2 3 4
  • 14. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 14 style-src (CSP2) vs. style-src, style-src-elem, style-src-attr (CSP3) Content-Security-Policy (CSP) - Examples style-src-elem style-src-elem style-src-attr example.org ‘unsafe-inline’ ‘unsafe-inline’ 1 2 3
  • 15. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 15 Support of CSP Level 3 script-src-elem - Apple: “nope” Content-Security-Policy (CSP)
  • 16. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 16 button clicked, script execution blocked Content-Security-Policy (CSP) - onclick example
  • 17. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 17 button clicked, ‘unsafe-inline’ script executed Content-Security-Policy (CSP) - onclick example
  • 18. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 18 button clicked, ‘unsafe-hashes’ script executed Content-Security-Policy (CSP) - onclick example
  • 19. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 19 HTML on typo3v12, loads from hacko3v12, loads from other3v12 Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js
  • 20. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 20 loaded from typo3v12, hacko3v12, other3v12, blocked eval Content-Security-Policy (CSP) - external scripts example
  • 21. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 21 allow loading all scripts via ‘strict-dynamic’ when nonce is given Content-Security-Policy (CSP) - external scripts example
  • 22. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 22 ‘strict-dynamic’ works when using DOM-API ✅ - denied for “parser-inserted” script ❌ Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js ✅ ❌ ✅
  • 23. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 23 Support of CSP Level 3 strict-dynamic - Apple: “yepp” Content-Security-Policy (CSP)
  • 24. Content-Security-Policy (CSP) - CSP Simulator ▪ github.com/ohader/csp-simulator ▪ Content-Security-Policy Simulator ▪ HTTP man-in-the-middle proxy ▪ for arbitrary websites 24 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 25. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Strategies The TYPO3 POV 25
  • 26. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org TYPO3 and CSP 26 ▪ general: prevention & detection strategy ▪ provide tools/APIs, suggestions, advisories ▪ Content-Security-Policy to mitigate XSS vulnerabilities ▪ with TYPO3 v12: available, but not enforced ▪ with TYPO3 v13: plans, to enable CSP per default ▪ listen & incorporate community feedback & experience
  • 27. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 27 Dedicated feature flag scopes (backend, frontend, frontend & site) TYPO3 and CSP
  • 28. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 28 Excerpt of CSP “Policy” models, directives, sources, … TYPO3 and CSP
  • 29. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 29 Static CSP declaration for extensions in PHP or site config TYPO3 and CSP
  • 30. TYPO3 and CSP ▪ “nonce” = number used once(!) (must be random, not predictable) ▪ nonce value added automatically for static(!) files in PageRender ▪ nonce value added for inline scripts and styles when explicitly requested, in PageRenderer and AssetCollector ▪ (incl. Fluid view helpers) 30 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 31. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 31 CSP reporting backend module TYPO3 and CSP
  • 32. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 32 CSP reporting backend module & applying “resolutions” TYPO3 and CSP
  • 33. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 33 Individual CSP violation handlers, suggesting “resolutions” TYPO3 and CSP
  • 34. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 34 CSP HTTP header for backend requests TYPO3 and CSP
  • 35. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 35 Manually triggered CSP violation (eval) TYPO3 and CSP
  • 36. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 36 CSP violation sent back to TYPO3 reporting endpoint TYPO3 and CSP
  • 37. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 37 CSP violation sent back to TYPO3 reporting endpoint
  • 38. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Pitfalls observations 38
  • 39. Pitfalls ▪ […] ’unsafe-inline’ is ignored if either a hash or nonce value is present […] ▪ same for style-src ▪ (TYPO3 is prepared to add nonce values everywhere*) 39 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 40. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 40 Google’s Suggestion on Integrating Google Maps Pitfalls ❌ CSP Level 3 CSP Level 2
  • 41. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 41 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 42. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 42 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 43. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 43 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 44. Pitfalls ▪ Google Translate proxies site ▪ request was actually blocked 44 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 45. Pitfalls ▪ something™ changes base-uri ▪ <base href=“https://h4ck3r.org”> ▪ CSP: base-uri ‘none’ | ‘self’ 45 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 46. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 46
  • 47. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 47 ▪ unfinished CSP Level 3 (draft) vs CSP Level 2 (2016) ▪ painful backward compatibility & open questions ▪ somewhere in between max. convenience & max. security ▪ please enable CSP in TYPO3 v12 (backend, maybe frontend) ▪ report your findings & feedback to https://forge.typo3.org