[TASK] Allow to disable CSP headers for a particular site

This change allows to disable CSP headers for a particular site configured in `sites/<my-site>/csp.yaml` by using the assignment `enable: false`. Resolves: #104549 Releases: main, 12.4 Change-Id: I9e17b5658610e5d47915a5e45ca6a33a870e8d76 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/85622 Tested-by: core-ci <typo3@b13.com> Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>

[TASK] Allow to disable CSP headers for a particular site
This change allows to disable CSP headers for a particular site configured in `sites/<my-site>/csp.yaml` by using the assignment `enable: false`. Resolves: #104549 Releases: main, 12.4 Change-Id: I9e17b5658610e5d47915a5e45ca6a33a870e8d76 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/85622 Tested-by: core-ci <typo3@b13.com> Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
56f64089 · Oliver Hader · Oliver Hader · 95f71d85 · 56f64089 · 56f64089
Commit 56f64089 authored 7 months ago by Oliver Hader Committed by Oliver Hader 7 months ago
--- a/typo3/sysext/core/Documentation/Changelog/12.4.x/Important-104549-DisableContent-Security-PolicyHeadersForParticularSite.rst
+++ b/typo3/sysext/core/Documentation/Changelog/12.4.x/Important-104549-DisableContent-Security-PolicyHeadersForParticularSite.rst
+.. include:: /Includes.rst.txt
+
+.. _important-104549-1723461851:
+
+================================================================================
+Important: #104549 - Disable Content-Security-Policy headers for particular site
+================================================================================
+
+See :issue:`104549`
+
+Description
+===========
+
+The feature flag :php:`$GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.enforceContentSecurityPolicy']`
+applies Content-Security-Policy headers to any frontend site. The dedicated :file:`sites/<my-site>/csp.yaml` can be used
+to explicitly disable CSP for a particular site.
+
+..  code-block:: yaml
+    :caption: config/sites/<my-site>/csp.yaml
+
+    # enables content-security-policy headers for this specific site (enabled per default)
+    # (`enable: false` can be used to disable CSP for a particular site)
+    enable: false
+
+.. index:: Frontend, YAML, ext:frontend
--- a/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php
+++ b/typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php
@@ -46,15 +46,17 @@ final class ContentSecurityPolicyHeaders implements MiddlewareInterface

    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
+        $site = $request->getAttribute('site');
        // return early in case CSP shall not be used
-        if (!$this->features->isFeatureEnabled('security.frontend.enforceContentSecurityPolicy')) {
+        if (!$this->features->isFeatureEnabled('security.frontend.enforceContentSecurityPolicy')
+            || ($site !== null && !($site->getConfiguration()['contentSecurityPolicies']['enable'] ?? true))
+        ) {
            return $handler->handle($request);
        }
        // make sure, the nonce value is set before processing the remaining middlewares
        $request = $request->withAttribute('nonce', $this->requestId->nonce);
        $response = $handler->handle($request);

-        $site = $request->getAttribute('site');
        $scope = Scope::frontendSite($site);
        if ($response->hasHeader('Content-Security-Policy') || $response->hasHeader('Content-Security-Policy-Report-Only')) {
            $this->logger->info('Content-Security-Policy not enforced due to existence of custom header', [