Content Security Policy (CSP) is a web security standard introduced to prevent cross-site scripting and other code injection attacks resulting from malicious content being executed in the trusted web page context. TYPO3 v12 comes with integrated CSP support, policy modeling, and violation report handling.
This talk presents the basic concepts, common pitfalls, and potential solutions for using a secure and strict Content Security Policy.
Talk during TYPO3 Developer Days 2023: https://t3dd23.typo3.com/program/sessions/content-security-policy-concept-strategies-pitfalls-561
2. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 2
▪Research & Development
▪TYPO3 Security Team Lead
▪50% TYPO3 GmbH / 50% Freelancer
▪#hof #cycling #paramedic #in.die.musik
~# whoami
Oliver Hader
@ohader
3. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 3
▪ Why?
▪ Concept
Introduction to Content-Security-Policy
▪ Pitfalls
Examples and CSP in Action
▪ Strategies
Content-Security-Policy in TYPO3 v12+
Agenda
4. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Why?
cause matters
4
5. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 5
▪ please, don’t publish security
vulnerabilities to public channels
▪ not on GitHub/Forge
▪ not in Slack channels
▪ not on Twitter, ...
▪ report to security@typo3.org
▪ security team supports community
Trigger Warning
⚠︎
6. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Why?
6
▪ cross-site scripting & privacy concerns
▪ 2018-2023: 34 XSS vulnerabilities in TYPO3 CMS
▪ script execution / remote control via JavaScript
(in the scope & with the permissions of the victim)
▪ trigger download of executable applications
▪ extract users’ details (location, IP address, session data, …)
▪ <script> | <img src=“~” onerror=“…”> | <iframe> | <style> | …
7. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 7
Video <script>
8. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 8
Video <link rel=“stylesheet”>
10. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 10
Content-Security-Policy as meta tag or HTTP header (preferred)
Content-Security-Policy (CSP)
15. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 15
Support of CSP Level 3 script-src-elem - Apple: “nope”
Content-Security-Policy (CSP)
16. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 16
button clicked, script execution blocked
Content-Security-Policy (CSP) - onclick example
17. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 17
button clicked, ‘unsafe-inline’ script executed
Content-Security-Policy (CSP) - onclick example
18. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 18
button clicked, ‘unsafe-hashes’ script executed
Content-Security-Policy (CSP) - onclick example
19. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 19
HTML on typo3v12, loads from hacko3v12, loads from other3v12
Content-Security-Policy (CSP) - external scripts example
on https://typo3v12.ddev.site/…
https://hacko3v12.ddev.site/static/cross-script.js
20. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 20
loaded from typo3v12, hacko3v12, other3v12, blocked eval
Content-Security-Policy (CSP) - external scripts example
21. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 21
allow loading all scripts via ‘strict-dynamic’ when nonce is given
Content-Security-Policy (CSP) - external scripts example
22. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 22
‘strict-dynamic’ works when using DOM-API ✅ - denied for “parser-inserted” script ❌
Content-Security-Policy (CSP) - external scripts example
on https://typo3v12.ddev.site/…
https://hacko3v12.ddev.site/static/cross-script.js
✅
❌
✅
23. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 23
Support of CSP Level 3 strict-dynamic - Apple: “yepp”
Content-Security-Policy (CSP)
25. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Strategies
The TYPO3 POV
25
26. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 and CSP
26
▪ general: prevention & detection strategy
▪ provide tools/APIs, suggestions, advisories
▪ Content-Security-Policy to mitigate XSS vulnerabilities
▪ with TYPO3 v12: available, but not enforced
▪ with TYPO3 v13: plans, to enable CSP per default
▪ listen & incorporate community feedback & experience
27. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 27
Dedicated feature flag scopes (backend, frontend, frontend & site)
TYPO3 and CSP
28. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 28
Excerpt of CSP “Policy” models, directives, sources, …
TYPO3 and CSP
29. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 29
Static CSP declaration for extensions in PHP or site config
TYPO3 and CSP
30. TYPO3 and CSP
▪ “nonce” = number used once(!)
(must be random, not predictable)
▪ nonce value added automatically
for static(!) files in PageRender
▪ nonce value added for inline
scripts and styles when explicitly
requested, in PageRenderer and
AssetCollector
▪ (incl. Fluid view helpers)
30
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
31. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 31
CSP reporting backend module
TYPO3 and CSP
32. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 32
CSP reporting backend module & applying “resolutions”
TYPO3 and CSP
33. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 33
Individual CSP violation handlers, suggesting “resolutions”
TYPO3 and CSP
34. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 34
CSP HTTP header for backend requests
TYPO3 and CSP
35. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 35
Manually triggered CSP violation (eval)
TYPO3 and CSP
36. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 36
CSP violation sent back to TYPO3 reporting endpoint
TYPO3 and CSP
37. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 37
CSP violation sent back to TYPO3 reporting endpoint
39. Pitfalls
▪ […] ’unsafe-inline’ is
ignored if either a hash or
nonce value is present […]
▪ same for style-src
▪ (TYPO3 is prepared to add
nonce values everywhere*)
39
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
40. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 40
Google’s Suggestion on Integrating Google Maps
Pitfalls
❌ CSP Level 3
CSP Level 2
41. Pitfalls
▪ false-positive reports
▪ caused by browser plugins
▪ can use own scheme, e.g.
▪ moz-extension:
▪ safari-extension:
41
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
42. Pitfalls
▪ false-positive reports
▪ caused by browser plugins
▪ can use own scheme, e.g.
▪ moz-extension:
▪ safari-extension:
42
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
43. Pitfalls
▪ false-positive reports
▪ caused by browser plugins
▪ can use own scheme, e.g.
▪ moz-extension:
▪ safari-extension:
43
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
44. Pitfalls
▪ Google Translate proxies site
▪ request was actually blocked
44
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org