Contao 5.3 CSP Support

Question

Contao 5.3 CSP Support

Closed this issue 10 months ago · 8 comments

Hello.

I like to suggest implementing the support of CSP, the inline scripts throw errors if you activate CSP in Contao 5.3 and using version 2.0.0-RC1. Contao 5.3 offers the CspHandler, see: https://docs.contao.org/dev/framework/csp/#the-csphandler

Thank you for this exquisite plug-in! Best regards!

Answer 1 · 2024-03-01T17:15:24.000Z

@webwerkwien could you test the branch dev-feature/csp?

Also mind that this is now ^5.3 only.

Answer 2 · 2024-03-01T20:13:32.000Z

Good evening, it works well with the dev-feature/csp version on Contao 5.3. I will keep it running with CSP activated inside Contao in report-only mode. This way you can check the source code on your own on web.werk.wien.
I see the nonce added in the inline-script and no CSP-related error exists in the browsers developer tools.

Of course, I had to add certain entries in my policy, like script-src 'self' https://www.googletagmanager.com/gtag/js; and connect-src 'self' https://region1.google-analytics.com;.

Please let me know when I can switch back to a regular branch. :)

Thank you and good night!

Answer 3 · 2024-03-01T23:55:35.000Z

Hey @webwerkwien,

Of course, I had to add certain entries in my policy, like script-src 'self' https://www.googletagmanager.com/gtag/js; and connect-src 'self' https://region1.google-analytics.com;.

-> Yes, that's how CSP works, you have to add the policies you want to allow.

If you got some time, would you mind testing this one as well #192, it would help a lot.

Just add this to your composer.json

"repositories": [
    {
        "type": "git",
        "url": "https://github.com/xprojects-de/contao-cookiebar.git"
    }
]

and the requirement like this:

"require": {
    "oveleon/contao-cookiebar": "dev-csp-support"

It's a different approach for the implementation (without changes to how the cookiebar script is being added to the layout), just wanna make sure if it works with your setup as well.

Answer 4 · 2024-03-02T07:31:30.000Z

I am not allowed to install it.

Resolving dependencies using Composer Cloud v3.7.0
[6.9MiB/0.24s] Loading composer repositories with package information
An error occurred during resolving process:
Failed to clone wrong repo

  git@github.com: Permission denied (publickey).
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.

Answer 5 · 2024-03-02T10:03:27.000Z

@webwerkwien I edited my message yesterday, I added a wrong repository.

Can u see the changes?

It's the path (not the other one)
https://github.com/xprojects-de/contao-cookiebar.git

Answer 6 · 2024-03-02T10:22:39.000Z

Sorry, I took the code from the mail, already wondering about the path. I changed the path, now the installation stops with this error:

$ /opt/php-8.1/bin/php -q -dmax_execution_time=0 -dmemory_limit=-1 -ddisplay_errors=0 -ddisplay_startup_errors=0 -derror_reporting=0 -dallow_url_fopen=1 -ddisable_functions= -ddate.timezone=Europe/Berlin /var/www/clients/client2/web167/web/public/contao-manager.phar.php composer install --no-dev --no-progress --no-ansi --no-interaction --optimize-autoloader
Using config.component-dir has been deprecated. Please use extra.contao-component-dir instead.
Installing dependencies from lock file
Verifying lock file contents can be installed on current platform.
Package operations: 0 installs, 2 updates, 0 removals
As there is no 'unzip' nor '7z' command installed zip files are being unpacked using the PHP zip extension.
This may cause invalid reports of corrupted archives. Besides, any UNIX permissions (e.g. executable) defined in the archives will be lost.
Installing 'unzip' or '7z' (21.01+) may remediate them.
  - Syncing oveleon/contao-cookiebar (dev-csp-support 121d041) into cache
In Git.php line 384:
                                                                               
  Failed to clone https://github.com/xprojects-de/contao-cookiebar.git, git w  
  as not found, check that it is installed and in your PATH env.               
                                                                               
  sh: line 1: git: command not found                                           
                                                                               
install [--prefer-source] [--prefer-dist] [--prefer-install PREFER-INSTALL] [--dry-run] [--download-only] [--dev] [--no-suggest] [--no-dev] [--no-autoloader] [--no-progress] [--no-install] [--audit] [--audit-format AUDIT-FORMAT] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--apcu-autoloader-prefix APCU-AUTOLOADER-PREFIX] [--ignore-platform-req IGNORE-PLATFORM-REQ] [--ignore-platform-reqs] [--] [<packages>...]
# Process terminated with exit code 1
# Result: General error

Answer 7 · 2024-03-02T11:04:57.000Z

Ah, seems like git is not installed on your webspace.
Anyways, really appreciate the help from you + testing it.
We'll decide for a solution next week and see which solution suits the Cookiebar better.

Answer 8 · 2024-03-06T17:33:18.000Z

@webwerkwien We just released CSP Support in 2.0.0-RC2