[TASK] Rework CSP documentation, add reference to Config module (#5455)

* [TASK] Rework CSP documentation, add reference to Config module

Resolves #5005
Releases: main, 13.4, 12.4

* [TASK] Apply review feedback

* [TASK] Link to "Nonce"

* [TASK] Add real-world example, add sub-sections, more more more

* [TASK] Adjust for CGL

* [TASK] More CGL

* Update Index.rst

Co-authored-by: Lina Wolf <[email protected]>

* Update Index.rst

Co-authored-by: Lina Wolf <[email protected]>

* Update Index.rst

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update _csp_example_com.yaml

Co-authored-by: Chris Müller <[email protected]>

* Update _csp_example_org.yaml

Co-authored-by: Chris Müller <[email protected]>

* Update ContentSecurityPolicy.rst

Co-authored-by: Chris Müller <[email protected]>

* [TASK] Adjust intendation

* [TASK] Language checks

Releases: main

* Update _csp_example_com.yaml

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update Index.rst

Co-authored-by: Chris Müller <[email protected]>

* Update _csp_example_org.yaml

Co-authored-by: Chris Müller <[email protected]>

* [TASK] Add link to chris' CSP resources

* [TASK] Do not whitelist iframe src examples

---------

Co-authored-by: Lina Wolf <[email protected]>
Co-authored-by: Chris Müller <[email protected]>
Co-authored-by: Sarah McCarthy <[email protected]>

Author: 4 people

Documentation/ApiOverview/ContentSecurityPolicy/Index.rst

@@ -12,50 +12,66 @@
 use TYPO3\CMS\Core\Security\ContentSecurityPolicy\UriValue;
 use TYPO3\CMS\Core\Type\Map;
 
-return Map::fromEntries([
-    // Provide declarations for the backend
-    Scope::backend(),
-    // NOTICE: When using `MutationMode::Set` existing declarations will be overridden
+return Map::fromEntries(
+    [
+        // Provide declarations for the backend
+        Scope::backend(),
+        // NOTICE: When using `MutationMode::Set` existing declarations will be overridden
 
-    new MutationCollection(
-        // Results in `default-src 'self'`
-        new Mutation(
-            MutationMode::Set,
-            Directive::DefaultSrc,
-            SourceKeyword::self,
-        ),
+        new MutationCollection(
+            // Results in `default-src 'self'`
+            new Mutation(
+                MutationMode::Set,
+                Directive::DefaultSrc,
+                SourceKeyword::self,
+            ),
 
-        // Extends the ancestor directive ('default-src'),
-        // thus reuses 'self' and adds additional sources
-        // Results in `img-src 'self' data: https://*.typo3.org`
-        new Mutation(
-            MutationMode::Extend,
-            Directive::ImgSrc,
-            SourceScheme::data,
-            new UriValue('https://*.typo3.org'),
-        ),
-        // NOTICE: the following two instructions for `Directive::ImgSrc` are identical to the previous instruction,
-        // `MutationMode::Extend` is a shortcut for `MutationMode::InheritOnce` and `MutationMode::Append`
-        // new Mutation(MutationMode::InheritOnce, Directive::ImgSrc, SourceScheme::data),
-        // new Mutation(MutationMode::Append, Directive::ImgSrc, SourceScheme::data, new UriValue('https://*.typo3.org')),
+            // Extends the ancestor directive ('default-src'),
+            // thus reuses 'self' and adds additional sources
+            // Results in `img-src 'self' data: https://*.typo3.org`
+            new Mutation(
+                MutationMode::Extend,
+                Directive::ImgSrc,
+                SourceScheme::data,
+                new UriValue('https://*.typo3.org'),
+            ),
+            // NOTICE: the following two instructions for `Directive::ImgSrc` are identical to the previous instruction,
+            // `MutationMode::Extend` is a shortcut for `MutationMode::InheritOnce` and `MutationMode::Append`
+            // new Mutation(MutationMode::InheritOnce, Directive::ImgSrc, SourceScheme::data),
+            // new Mutation(MutationMode::Append, Directive::ImgSrc, SourceScheme::data, new UriValue('https://*.typo3.org')),
 
-        // Extends the ancestor directive ('default-src'),
-        // thus reuses 'self' and adds additional sources
-        // Results in `script-src 'self' 'nonce-[random]'`
-        // ('nonce-proxy' is substituted when compiling the policy)
-        new Mutation(
-            MutationMode::Extend,
-            Directive::ScriptSrc,
-            SourceKeyword::nonceProxy,
-        ),
+            // Extends the ancestor directive ('default-src'),
+            // thus reuses 'self' and adds additional sources
+            // Results in `script-src 'self' 'nonce-[random]'`
+            // ('nonce-proxy' is substituted when compiling the policy)
+            new Mutation(
+                MutationMode::Extend,
+                Directive::ScriptSrc,
+                SourceKeyword::nonceProxy,
+            ),
 
-        // Sets (overrides) the directive,
-        // thus ignores 'self' of the 'default-src' directive
-        // Results in `worker-src blob:`
-        new Mutation(
-            MutationMode::Set,
-            Directive::WorkerSrc,
-            SourceScheme::blob,
+            // Sets (overrides) the directive,
+            // thus ignores 'self' of the 'default-src' directive
+            // Results in `worker-src blob:`
+            new Mutation(
+                MutationMode::Set,
+                Directive::WorkerSrc,
+                SourceScheme::blob,
+            ),
+        ),
+    ],
+    [
+        // You can also additionally provide frontend declarations
+        Scope::frontend(),
+        new MutationCollection(
+            // Sets (overrides) the directive,
+            // thus ignores 'self' of the 'default-src' directive
+            // Results in `worker-src https://*.workers.example.com:`
+            new Mutation(
+                MutationMode::Set,
+                Directive::WorkerSrc,
+                new UriValue('https://*.workers.example.com'),
+            ),
         ),
-    ),
-]);
+    ],
+);

Documentation/ApiOverview/ContentSecurityPolicy/_ContentSecurityPolicies.php

@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Directive;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Mutation;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\MutationCollection;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\MutationMode;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Scope;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\UriValue;
+use TYPO3\CMS\Core\Type\Map;
+
+return Map::fromEntries([
+    // Provide declarations for the backend only
+    Scope::backend(),
+    new MutationCollection(
+        new Mutation(
+            MutationMode::Extend,
+            // Note: it's "FrameSrc" not "IFrameSrc"
+            Directive::FrameSrc,
+            new UriValue('https://cdn.example.com'),
+        ),
+        new Mutation(
+            MutationMode::Extend,
+            Directive::ImgSrc,
+            new UriValue('https://cdn.example.com'),
+        ),
+        new Mutation(
+            MutationMode::Extend,
+            Directive::ScriptSrc,
+            new UriValue('https://cdn.example.com'),
+        ),
+    ),
+]);

Documentation/ApiOverview/ContentSecurityPolicy/_ContentSecurityPolicies_example.php

@@ -0,0 +1,21 @@
+enforce:
+  inheritDefault: true
+  # site-specific mutations could also be listed, like this:
+  # mutations:
+  #  - mode: "append"
+  #    directive: "img-src"
+  #    sources:
+  #      - "cdn.example.com"
+  #      - "assets.example.com"
+
+# alternatively (or additionally!), reporting can be set too,
+# for example when testing stricter rules than above
+# (note the missing 'assets.example.com')
+# reporting:
+#   inheritDefault: true
+#   mutations:
+#    - mode: "append"
+#      directive: "img-src"
+#      sources:
+#        - "cdn.example.com"
+#

Documentation/ApiOverview/ContentSecurityPolicy/_csp_enforce.yaml

@@ -0,0 +1,30 @@
+# Inherits default frontend policy mutations provided by Core and 3rd-party extensions (enabled per default)
+inheritDefault: true
+mutations:
+  # Allow frames/iframes to TRUSTED specific locations
+  # Avoid "protocol only" white-list like "https:" here,
+  # because it could inject javascript easily, the most important reason
+  # why CSP was invented was to block security issues like this.
+  # (Note: it's "frame-src" not "iframe-src")
+  - mode: "extend"
+    directive: "frame-src"
+    sources:
+      - "https://*.example.org"
+      - "https://*.example.com"
+      - "https://*.instagram.com"
+      - "https://*.vimeo.com"
+      - "https://*.youtube.com"
+
+  # Allow img src to anyhwere (HTTPS only, not HTTP)
+  - mode: "extend"
+    directive: "img-src"
+    sources:
+      - "https:"
+
+  # Allow script src to the specified domains (HTTPS only)
+  - mode: "extend"
+    directive: "script-src"
+    sources:
+      - "https://cdn.example.com"
+      - "https://*.youtube.com"
+      - "https://*.google.com"

Documentation/ApiOverview/ContentSecurityPolicy/_csp_example_com.yaml

@@ -0,0 +1,25 @@
+# Inherits default frontend policy mutations provided by Core and 3rd-party extensions (enabled per default)
+inheritDefault: true
+mutations:
+  # Allow frame/iframe src to the specified domains (HTTPS only)
+  - mode: "extend"
+    # (Note: it's "frame-src" not "iframe-src")
+    directive: "frame-src"
+    sources:
+      - "https://cdn.example.com"
+      - "https://*.youtube.com"
+
+  # Allow img src to the specified domains (HTTPS only)
+  - mode: "extend"
+    directive: "img-src"
+    sources:
+      - "https://cdn.example.com"
+      - "https://*.instagram.com"
+
+  # Allow script src to the specified domains (HTTPS only)
+  - mode: "extend"
+    directive: "script-src"
+    sources:
+      - "https://cdn.example.com"
+      - "https://*.youtube.com"
+      - "https://*.google.com"

Documentation/ApiOverview/ContentSecurityPolicy/_csp_example_org.yaml

@@ -31,6 +31,15 @@ impractical for some sites) or add content security policy headers for
 these directories - basically all public available base directories of
 file storages (`sys_file_storage`).
 
+Please note that the CSP configuration in :ref:`content-security-policy`
+only applies to pages served by TYPO3 (when PHP is involved, allowing
+the configured Middleware to be utilized).
+
+Files that are not served by TYPO3, as is the case with files in :file:`fileadmin/`, need
+manual server configuration if CSP is to be applied, for example to :file:`.svg` files
+to prevent possible execution and loading of further
+remote resources or scripts.
+
 The following example sends a corresponding CSP_ header for any file
 accessed via :samp:`https://example.org/fileadmin/...`: