False (?) INTincScript warning with TYPO3 12

[kraemer81]

Hi there,

staticfilecache detects an INTincScript on all of my pages and this comes from these lines within the TYPO3 core:
https://github.com/TYPO3/typo3/blob/v12.4.1/typo3/sysext/frontend/Classes/Http/RequestHandler.php#L145C3-L149

I'm not sure if I can avoid this by configuration changes? I do not have CSP activated for the frontend.

My Environment (ddev):

• TYPO3 Version: 12.4.1
• SFC Version: 13.0.1
• PHP Version: 8.1.0
• OS: Unix
• Composer: yes

[lochmueller]

Hey @kraemer81

thanks for this finding. Good question :) Perhaps we should ignore the "NonceValueSubstitution::class . '->substituteNonce'" entry in

staticfilecache/Classes/Cache/Rule/NoIntScripts.php

Line 22 in ddd51b7

foreach ((array) $tsfe->config['INTincScript'] as $key => $configuration) {

?! If I understand Nonce right, it could be a random entry, but match to the generated page. So we can cache the page, even the Nonce replacement is used by core.

I will test this in the next days/weeks.

Regards,
Tim

[kraemer81]

Hi @lochmueller,

thank you for your fast reply! Yes, this was also my first thought to just ignore it when looping through the INTincScript array. But I do not have the insights, if this is the best solution.

I'm looking forward to your fix and will be happy to test it!

Andi

[kraemer81]

Hi @lochmueller,

I just saw this Bugfix in TYPO3 12.4.2, which is related: TYPO3/typo3@bd4980f237

So, with TYPO3 12.4.2+ and without CSP, staticfilecache should be working fine again.

[ohader]

I have been made aware of this problem during the TYPO3 Developer Days 2023 (which applies to other external cache services linke Varnish as well, see https://forge.typo3.org/issues/100887).

I've created a WIP patch for the TYPO3 Core that switches the strategy from using dynamic nonce values to static hash values. This way, the response headers can be cached and served along with the "file cached" contents.
→ find the work-in-progress draft at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

[ohader]

I'm about to test the core changes with ext:staticfilecache - the most important change is to cache the Content-Security-Policy HTTP header in addition, since it contains the hash-sums of the used assets.

However I'm still searching for a good & standard possibility to deliver HTTP headers directly (without invoking PHP). For Apache there's e.g. the send-as-is handler, but I did not find similar (standard) directives for nginx. As last resort, CSP can be integrated as HTML meta-element (e.g. <meta http-equiv="Content-Security-Policy" content="..." />).

Any suggestions/ideas?

[ohader]

Maybe nginx njs which support r.headersOut and fs.existsSync (see njs examples)?
I have no idea how njs performs and how much the fs.*Sync (blocking IO) operations reduce the response performance.

[lochmueller]

Uff... good question. Sorry, but I am not the nginx guy. Most of the nginx rules are contributed by other people. My part was only the apache configuration ;) I will check this in the next days... perhaps I can build up a test nginx and test a little bit.

[ohader]

I'm rephrasing the question: In case there is no simple solution to dumping HTTP headers from a file with nginx, what would be the next "acceptable" fallback - e.g. a PSR-15 middleware, or a plain simple PHP dispatcher script, or ...?

Anyway, I'm focussing on Apache and the send-as-is module for the time being - just the check & test whether the core with enabled CSP finally works with ext:staticfilecache...

[lochmueller]

Hey @ohader

both is possible.

There is a PHP Generator https://github.com/lochmueller/staticfilecache/blob/master/Classes/Generator/PhpGenerator.php with this template https://github.com/lochmueller/staticfilecache/blob/master/Resources/Private/Templates/Php.html that is executed without TYPO3 Context incl. the header. I think the basic idea of the php generator was for nginx: 61ad917 I never used this before. This Generator is disabled in the default.

But there is also the FallbackMiddleware https://github.com/lochmueller/staticfilecache/blob/master/Classes/Middleware/FallbackMiddleware.php that is used, if the server does not handle a valid redirect, the Middleware will handle this. This middleware also sends the static Headers via a config.json file that is stored in the cache entry: https://github.com/lochmueller/staticfilecache/blob/master/Classes/Middleware/FallbackMiddleware.php#L131

Regards,
Tim

[jacobsenj]

Hi @ohader,

just stumbled across this. I've contributed the php generator within ext:staticfilecache for use with nginx because the webserver software is lacking features to dynamically add headers like we used to do it in apache2. The generator is in production use on one of our clients TYPO3 11 LTS + nginx setup with a modded ext:csp (https://extensions.typo3.org/extension/csp/) . We're likely to upgrade to TYPO3 12 within 2024 and migrate all the existing settings from ext:csp to the newly integrated csp features.
So regarding the nonce updates for apache2: will the nonce value just be cached and reused now or did I just not understand the changes. If the nonce value is cached and reused I assume this would work right away on my nginx setups.

Cheers
Jens