-
-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False (?) INTincScript warning with TYPO3 12 #389
Comments
Hey @kraemer81 thanks for this finding. Good question :) Perhaps we should ignore the "NonceValueSubstitution::class . '->substituteNonce'" entry in
I will test this in the next days/weeks. Regards, |
Hi @lochmueller, thank you for your fast reply! Yes, this was also my first thought to just ignore it when looping through the INTincScript array. But I do not have the insights, if this is the best solution. I'm looking forward to your fix and will be happy to test it! Andi |
Hi @lochmueller, I just saw this Bugfix in TYPO3 12.4.2, which is related: TYPO3/typo3@bd4980f237 So, with TYPO3 12.4.2+ and without CSP, staticfilecache should be working fine again. |
I have been made aware of this problem during the TYPO3 Developer Days 2023 (which applies to other external cache services linke Varnish as well, see https://forge.typo3.org/issues/100887). I've created a WIP patch for the TYPO3 Core that switches the strategy from using dynamic nonce values to static hash values. This way, the response headers can be cached and served along with the "file cached" contents. |
I'm about to test the core changes with However I'm still searching for a good & standard possibility to deliver HTTP headers directly (without invoking PHP). For Apache there's e.g. the Any suggestions/ideas? |
Maybe |
Uff... good question. Sorry, but I am not the nginx guy. Most of the nginx rules are contributed by other people. My part was only the apache configuration ;) I will check this in the next days... perhaps I can build up a test nginx and test a little bit. |
I'm rephrasing the question: In case there is no simple solution to dumping HTTP headers from a file with nginx, what would be the next "acceptable" fallback - e.g. a PSR-15 middleware, or a plain simple PHP dispatcher script, or ...? Anyway, I'm focussing on Apache and the |
Hey @ohader both is possible. There is a PHP Generator https://github.com/lochmueller/staticfilecache/blob/master/Classes/Generator/PhpGenerator.php with this template https://github.com/lochmueller/staticfilecache/blob/master/Resources/Private/Templates/Php.html that is executed without TYPO3 Context incl. the header. I think the basic idea of the php generator was for nginx: 61ad917 I never used this before. This Generator is disabled in the default. But there is also the FallbackMiddleware https://github.com/lochmueller/staticfilecache/blob/master/Classes/Middleware/FallbackMiddleware.php that is used, if the server does not handle a valid redirect, the Middleware will handle this. This middleware also sends the static Headers via a config.json file that is stored in the cache entry: https://github.com/lochmueller/staticfilecache/blob/master/Classes/Middleware/FallbackMiddleware.php#L131 Regards, |
`Content-Security-Policy` HTTP headers need to be statically cached as well. Adjustments the Apache `.htaccess` generator ensure, that the CSP reporting endpoint is updated for each request. Besides that, the `preferCacheableResponse` CSP behavior is enforced to avoid using nonce values and to prefer hash values instead. This TYPO3 v12.4 change is required to properly handling hash values automatically for assets: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554 Core: 12.4 Related: lochmueller#389
Hi @ohader, just stumbled across this. I've contributed the php generator within ext:staticfilecache for use with nginx because the webserver software is lacking features to dynamically add headers like we used to do it in apache2. The generator is in production use on one of our clients TYPO3 11 LTS + nginx setup with a modded ext:csp (https://extensions.typo3.org/extension/csp/) . We're likely to upgrade to TYPO3 12 within 2024 and migrate all the existing settings from ext:csp to the newly integrated csp features. Cheers |
Hi there,
staticfilecache detects an INTincScript on all of my pages and this comes from these lines within the TYPO3 core:
https://github.com/TYPO3/typo3/blob/v12.4.1/typo3/sysext/frontend/Classes/Http/RequestHandler.php#L145C3-L149
I'm not sure if I can avoid this by configuration changes? I do not have CSP activated for the frontend.
My Environment (ddev):
The text was updated successfully, but these errors were encountered: