Comments (10)
Hi @lochmueller,
I just saw this Bugfix in TYPO3 12.4.2, which is related: TYPO3/typo3@bd4980f237
So, with TYPO3 12.4.2+ and without CSP, staticfilecache should be working fine again.
from staticfilecache.
I have been made aware of this problem during the TYPO3 Developer Days 2023 (which applies to other external cache services linke Varnish as well, see https://forge.typo3.org/issues/100887).
I've created a WIP patch for the TYPO3 Core that switches the strategy from using dynamic nonce values to static hash values. This way, the response headers can be cached and served along with the "file cached" contents.
→ find the work-in-progress draft at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80554
from staticfilecache.
Hey @ohader
both is possible.
There is a PHP Generator https://github.com/lochmueller/staticfilecache/blob/master/Classes/Generator/PhpGenerator.php with this template https://github.com/lochmueller/staticfilecache/blob/master/Resources/Private/Templates/Php.html that is executed without TYPO3 Context incl. the header. I think the basic idea of the php generator was for nginx: 61ad917 I never used this before. This Generator is disabled in the default.
But there is also the FallbackMiddleware https://github.com/lochmueller/staticfilecache/blob/master/Classes/Middleware/FallbackMiddleware.php that is used, if the server does not handle a valid redirect, the Middleware will handle this. This middleware also sends the static Headers via a config.json file that is stored in the cache entry: https://github.com/lochmueller/staticfilecache/blob/master/Classes/Middleware/FallbackMiddleware.php#L131
Regards,
Tim
from staticfilecache.
Hey @kraemer81
thanks for this finding. Good question :) Perhaps we should ignore the "NonceValueSubstitution::class . '->substituteNonce'" entry in
I will test this in the next days/weeks.
Regards,
Tim
from staticfilecache.
Hi @lochmueller,
thank you for your fast reply! Yes, this was also my first thought to just ignore it when looping through the INTincScript array. But I do not have the insights, if this is the best solution.
I'm looking forward to your fix and will be happy to test it!
Andi
from staticfilecache.
I'm about to test the core changes with ext:staticfilecache
- the most important change is to cache the Content-Security-Policy
HTTP header in addition, since it contains the hash-sums of the used assets.
However I'm still searching for a good & standard possibility to deliver HTTP headers directly (without invoking PHP). For Apache there's e.g. the send-as-is
handler, but I did not find similar (standard) directives for nginx. As last resort, CSP can be integrated as HTML meta-element (e.g. <meta http-equiv="Content-Security-Policy" content="..." />
).
Any suggestions/ideas?
from staticfilecache.
Maybe nginx njs
which support r.headersOut
and fs.existsSync
(see njs
examples)?
I have no idea how njs
performs and how much the fs.*Sync
(blocking IO) operations reduce the response performance.
from staticfilecache.
Uff... good question. Sorry, but I am not the nginx guy. Most of the nginx rules are contributed by other people. My part was only the apache configuration ;) I will check this in the next days... perhaps I can build up a test nginx and test a little bit.
from staticfilecache.
I'm rephrasing the question: In case there is no simple solution to dumping HTTP headers from a file with nginx, what would be the next "acceptable" fallback - e.g. a PSR-15 middleware, or a plain simple PHP dispatcher script, or ...?
Anyway, I'm focussing on Apache and the send-as-is
module for the time being - just the check & test whether the core with enabled CSP finally works with ext:staticfilecache
...
from staticfilecache.
Hi @ohader,
just stumbled across this. I've contributed the php generator within ext:staticfilecache for use with nginx because the webserver software is lacking features to dynamically add headers like we used to do it in apache2. The generator is in production use on one of our clients TYPO3 11 LTS + nginx setup with a modded ext:csp (https://extensions.typo3.org/extension/csp/) . We're likely to upgrade to TYPO3 12 within 2024 and migrate all the existing settings from ext:csp to the newly integrated csp features.
So regarding the nonce updates for apache2: will the nonce value just be cached and reused now or did I just not understand the changes. If the nonce value is cached and reused I assume this would work right away on my nginx setups.
Cheers
Jens
from staticfilecache.
Related Issues (20)
- ActionMenuViewHelper extends from final class HOT 1
- TYPO3 12 HOT 1
- TER release version 13 HOT 6
- Workspace Preview not working HOT 3
- HttpOnly flag for cookies HOT 1
- Warning INTScript TYPO3 11 HOT 2
- Add .css.gz and .js.gz to .htaccess example HOT 1
- Parse Error: Classes/Service/CookieService.php HOT 2
- .gz conflict with compressed core files HOT 1
- Core: Exception handler (CLI): Uncaught TYPO3 Exception Error HOT 2
- Commands should follow Interface constraints from `symfony/console:v7` HOT 1
- compatibility issue within the 'execute' method of a Command in Symfony Console version 7 HOT 1
- staticfilecache breaks on symfony/console v7.0.3 HOT 1
- TYPO3 v13: TypoScriptFrontendController::isStaticCacheble() is now internal HOT 1
- Fatal error after Update to symfony/console v7.0.4 HOT 1
- Docu htaccess file HOT 1
- PHP Warning: rename HOT 2
- Use a custom User-Agent in Boostmode-Crawler HOT 2
- http2 // .htaccess: Unrecognized header format %C HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from staticfilecache.