If the 'contentSecurityPolicies' value is not filled properly
in the site configuration, the call to
$site->getConfiguration()['contentSecurityPolicies'] will fail.
The access should we guarded with a null coalescing operator.

Resolves: #104873
Releases: main, 12.4
Change-Id: Ie49a25d8ca9a194629c4a389b17b299091d44031
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/85977


Reviewed-by: Garvin Hicking <gh@faktor-e.de>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Garvin Hicking <gh@faktor-e.de>
Reviewed-by: Benni Mack <benni@typo3.org>

+ new feature flag `security.frontend.reportContentSecurityPolicy`,
  to be used next to `security.frontend.enforceContentSecurityPolicy`,
  resulting in `Content-Security-Policy-Report-Only` and/or
  `Content-Security-Policy` HTTP headers
+ new `enforce` and `report` segments in `csp.yaml` site config
+ possibility to disable CSP for a particular site by either setting
  `active: false` in the `csp.yaml` site config
+ allows having the HTTP headers `Content-Security-Policy` and
  `Content-Security-Policy-Report-Only` side-by-side in the frontend

Resolves: #101580
Resolves: #104549
Releases: main, 12.4
Change-Id: I8c1a8305702629eac1bfedddbecbc19b452fd500
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632


Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Garvin Hicking <gh@faktor-e.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Garvin Hicking <gh@faktor-e.de>
Reviewed-by: ...

Aims to combine disabling site-specific CSP with report-only mode later.

This reverts commit acf70306.

Reverts: #104549
Resolves: #104633
Releases: main, 12.4
Change-Id: I651f60d7b5cc24133801412c8f09b1efba98d3f4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/85646


Reviewed-by: Garvin Hicking <gh@faktor-e.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Garvin Hicking <gh@faktor-e.de>

This change allows to disable CSP headers for a particular site
configured in `sites/<my-site>/csp.yaml` by using the assignment
`enable: false`.

Resolves: #104549
Releases: main, 12.4
Change-Id: I9e17b5658610e5d47915a5e45ca6a33a870e8d76
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/85591


Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Garvin Hicking <gh@faktor-e.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Garvin Hicking <gh@faktor-e.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>

For additional context does the PolicyMutatedEvent
now provide the current PSR-7 Request.

Resolves: #104141
Releases: main, 12.4
Change-Id: I1817366e77f20f6c43eef0ee209fbb419e7237e2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84913


Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>

Using PHP attributes to configure DI within classes
directly is more easy to understand since developers
don't need to constantly look up DI configuration
Services.yaml files, but have everything in one place.

The patch switches all classes that previously
used '@cache.xy' to get a specific cache injected
to an `Autowire` attribute.

Resolves: #103921
Releases: main
Change-Id: I16b064242cdbc2bbcfbed89700c97afac012fdf8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84406


Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>

To identify whether a nonce values was actually used (consumed),
`ConsumableNonce` instances are used, instead of `Nonce` objects.
The new `ConsumableNonce` inherits from `ConsumableString`.

As a result, the `<f:security.nonce>` view helper would increase
the consumption counter. This is important for additional cache
handling in the frontend rendering context.

Resolves: #101751
Releases: main, 12.4
Change-Id: Iea147b0130e3d350f5913dc75f33af61c18e8af3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80235


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

It's time to update to latest changes of php-cs-fixer
to align with current community rules. This brings a
rather huge series of changes, main changes due to
single_line_empty_body rule which now formats empty
class and method body curly braces into a single line,
plus changes from function_declaration rule which tends
to avoid more whitespaces.

The change has a slight impact on phpstan, we
regenerate baseline.

To reduce backport headaches, this change is backported
to v12 and v11.

> composer req --dev friendsofphp/php-cs-fixer:^3.35.1
> Build/Scripts/runTests.sh -s cgl
> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #102236
Releases: main, 12.4, 11.5
Change-Id: Iea45b10667951672b2194033216c49f580799f55
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/81512


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Jasmina Ließmann <minapokhalo+typo3@gmail.com>
Reviewed-by: Jasmina Ließmann <minapokhalo+typo3@gmail.com>

Currently, CSP nonce values are used per default during the frontend
rendering process (which basically would be fine). However, this also
leads to the situation, that the page is not considered to be fully
cached anymore (`INTincScript`).

With this change, CSP nonce values are only used if the corresponding
CSP feature is enabled for the frontend scope.

Resolves: #100886
Releases: main, 12.4
Change-Id: I874b16a2c3f4791bfa4b0e9eb508c97b5485f1d0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79058


Tested-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: core-ci <typo3@b13.com>

Avoid too much I/O blocking when compiling URLs in
`HashProxy` by doing concurrent asynchronous fetch
requests with the GuzzleHttp client.

In addition, results of previously resolved URLs
are now stored in `assets` cache for one week.

Resolves: #100708
Releases: main
Change-Id: I362f81dccb0067f3691a1188878e6fea30af7100
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78787


Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

The new `ConsumableValue` class has been added, which is capable
of tracking how often a value has been used for any kind of output.
This way, it can be determined whether the nonce value would be
required at all.

This patch is a preparation for handling dynamic nonce values in
cached scenarios during the frontend rendering process.

Other occurrences of `$properties['nonce']` in `PageRenderer` were
without any specific functionality and just have been simplified.

Resolves: #100691
Releases: main
Change-Id: I7e200ba27d0e6f8d4dc3a20fc1ba333f398936ed
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78776


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

An internal csp-violation reporting endpoint is integrated, which
keeps track of potential violations in frontend and backend scope.
Alternative remote endpoints of 3rd party services can be configured
with in TYPO3_CONF_VARS setting `contentSecurityPolicyReportingUrl`
for `BE` or `FE`.

Violations ("reports") are visualized in the new
Content-Security-Policy backend module, which allows to select from
possible suggestions that would resolve a violation - however a user
with system maintainer privileges has to make this decision.

For the time being, the `GoogleMapsHandler` has been added, which
can be used as an inspiration for additional custom CSP violation
handlers. The following test extension triggers CSP violations:
https://packagist.org/packages/oliver-hader/csp-test

Resolves: #87423
Related: #99499
Releases: main
Change-Id: I7476b954c896c4d367d4e41e3d0f6f663952e966
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/7799...

This change introduces various representations of the
Content-Security-Policy domain as PHP classes.

The PSR-15 middlewares `ContentSecurityPolicyHeaders` are applying
the corresponding HTTP headers to each response in the frontend and
backend scope - in case no other component already added a
`Content-Security-Policy` or `Content-Security-Policy-Report-Only`
header, and only if the corresponding feature flag is enabled:

+ `security.backend.enforceContentSecurityPolicy`
+ `security.frontend.enforceContentSecurityPolicy`

For new installations `security.backend.enforceContentSecurityPolicy`
is enabled via factory default settings.

Resolves: #100055
Related: #99499
Related: #97068
Releases: main
Change-Id: I355393738f1d578b612e0e041e87be643f9e389a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77997


Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>