False (?) INTincScript warning with TYPO3 12 about staticfilecache HOT 10 OPEN

Hi @lochmueller,

I just saw this Bugfix in TYPO3 12.4.2, which is related: TYPO3/typo3@bd4980f237

So, with TYPO3 12.4.2+ and without CSP, staticfilecache should be working fine again.

from staticfilecache.

I have been made aware of this problem during the TYPO3 Developer Days 2023 (which applies to other external cache services linke Varnish as well, see https://forge.typo3.org/issues/100887).

I've created a WIP patch for the TYPO3 Core that switches the strategy from using dynamic nonce values to static hash values. This way, the response headers can be cached and served along with the "file cached" contents.
→ find the work-in-progress draft at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554

from staticfilecache.

Hey @ohader

both is possible.

There is a PHP Generator https://github.com/lochmueller/staticfilecache/blob/master/Classes/Generator/PhpGenerator.php with this template https://github.com/lochmueller/staticfilecache/blob/master/Resources/Private/Templates/Php.html that is executed without TYPO3 Context incl. the header. I think the basic idea of the php generator was for nginx: 61ad917 I never used this before. This Generator is disabled in the default.

But there is also the FallbackMiddleware https://github.com/lochmueller/staticfilecache/blob/master/Classes/Middleware/FallbackMiddleware.php that is used, if the server does not handle a valid redirect, the Middleware will handle this. This middleware also sends the static Headers via a config.json file that is stored in the cache entry: https://github.com/lochmueller/staticfilecache/blob/master/Classes/Middleware/FallbackMiddleware.php#L131

Regards,
Tim

from staticfilecache.

Hey @kraemer81

thanks for this finding. Good question :) Perhaps we should ignore the "NonceValueSubstitution::class . '->substituteNonce'" entry in

I will test this in the next days/weeks.

Regards,
Tim

from staticfilecache.

Hi @lochmueller,

thank you for your fast reply! Yes, this was also my first thought to just ignore it when looping through the INTincScript array. But I do not have the insights, if this is the best solution.

I'm looking forward to your fix and will be happy to test it!

Andi

from staticfilecache.

I'm about to test the core changes with ext:staticfilecache - the most important change is to cache the Content-Security-Policy HTTP header in addition, since it contains the hash-sums of the used assets.

However I'm still searching for a good & standard possibility to deliver HTTP headers directly (without invoking PHP). For Apache there's e.g. the send-as-is handler, but I did not find similar (standard) directives for nginx. As last resort, CSP can be integrated as HTML meta-element (e.g. <meta http-equiv="Content-Security-Policy" content="..." />).

Any suggestions/ideas?

from staticfilecache.

Maybe nginx njs which support r.headersOut and fs.existsSync (see njs examples)?
I have no idea how njs performs and how much the fs.*Sync (blocking IO) operations reduce the response performance.

from staticfilecache.

Uff... good question. Sorry, but I am not the nginx guy. Most of the nginx rules are contributed by other people. My part was only the apache configuration ;) I will check this in the next days... perhaps I can build up a test nginx and test a little bit.

from staticfilecache.

I'm rephrasing the question: In case there is no simple solution to dumping HTTP headers from a file with nginx, what would be the next "acceptable" fallback - e.g. a PSR-15 middleware, or a plain simple PHP dispatcher script, or ...?

Anyway, I'm focussing on Apache and the send-as-is module for the time being - just the check & test whether the core with enabled CSP finally works with ext:staticfilecache...

from staticfilecache.

Hi @ohader,

just stumbled across this. I've contributed the php generator within ext:staticfilecache for use with nginx because the webserver software is lacking features to dynamically add headers like we used to do it in apache2. The generator is in production use on one of our clients TYPO3 11 LTS + nginx setup with a modded ext:csp (https://extensions.typo3.org/extension/csp/) . We're likely to upgrade to TYPO3 12 within 2024 and migrate all the existing settings from ext:csp to the newly integrated csp features.
So regarding the nonce updates for apache2: will the nonce value just be cached and reused now or did I just not understand the changes. If the nonce value is cached and reused I assume this would work right away on my nginx setups.

Cheers
Jens

from staticfilecache.