[TASK] Verify cache headers in CSP request handling test

Resolves: #107554
Releases: main, 13.4
Change-Id: I5f326c5c289e7add07e37de66574f52944260c94
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/90819
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Garvin Hicking <gh@faktor-e.de>
Reviewed-by: Garvin Hicking <gh@faktor-e.de>
Tested-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Reviewed-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>

Author: ohader

typo3/sysext/core/Tests/Functional/SiteHandling/SiteBasedTestTrait.php

@@ -17,6 +17,7 @@
 
 namespace TYPO3\CMS\Core\Tests\Functional\SiteHandling;
 
+use Symfony\Component\Yaml\Yaml;
 use TYPO3\CMS\Core\Configuration\SiteConfiguration;
 use TYPO3\CMS\Core\Configuration\SiteWriter;
 use TYPO3\CMS\Core\Tests\Functional\Fixtures\Frontend\PhpError;
@@ -53,6 +54,7 @@ protected function writeSiteConfiguration(
         array $languages = [],
         array $errorHandling = [],
         array $dependencies = [],
+        ?array $csp = null,
     ): void {
         $configuration = $site;
         if (!empty($languages)) {
@@ -69,6 +71,13 @@ protected function writeSiteConfiguration(
             // ensure no previous site configuration influences the test
             GeneralUtility::rmdir($this->instancePath . '/typo3conf/sites/' . $identifier, true);
             $siteWriter->write($identifier, $configuration);
+            if ($csp !== null) {
+                GeneralUtility::writeFile(
+                    $this->instancePath . '/typo3conf/sites/' . $identifier . '/csp.yaml',
+                    Yaml::dump($csp, 99, 2, Yaml::DUMP_EMPTY_ARRAY_AS_SEQUENCE | Yaml::DUMP_OBJECT_AS_MAP),
+                    true
+                );
+            }
         } catch (\Exception $exception) {
             $this->markTestSkipped($exception->getMessage());
         }

typo3/sysext/frontend/Tests/Functional/SiteHandling/Fixtures/RequestHandler.typoscript

@@ -1,6 +1,7 @@
 config {
   debug = 1
   no_cache = 0
+  sendCacheHeaders = 1
 }
 
 page = PAGE

typo3/sysext/frontend/Tests/Functional/SiteHandling/RequestHandlerTest.php

@@ -51,7 +51,6 @@ final class RequestHandlerTest extends AbstractTestCase
 
     protected function setUp(): void
     {
-        $this->configurationToUseInTestInstance['SYS']['features']['security.frontend.enforceContentSecurityPolicy'] = true;
         $this->configurationToUseInTestInstance['FE']['debug'] = true;
         parent::setUp();
 
@@ -66,17 +65,26 @@ protected function setUp(): void
             static::failIfArrayIsNotEmpty($writer->getErrors());
             $this->setUpFrontendRootPage(
                 1000,
-                [
-                    'EXT:frontend/Tests/Functional/SiteHandling/Fixtures/RequestHandler.typoscript',
-                ],
-                [
-                    'title' => 'ACME Root',
-                ]
+                ['EXT:frontend/Tests/Functional/SiteHandling/Fixtures/RequestHandler.typoscript'],
+                ['title' => 'ACME Root']
+            );
+            $this->setUpFrontendRootPage(
+                1200,
+                ['EXT:frontend/Tests/Functional/SiteHandling/Fixtures/RequestHandler.typoscript'],
+                ['title' => 'ACME Features']
             );
         });
         $this->writeSiteConfiguration(
-            'website-local',
-            $this->buildSiteConfiguration(1000, 'https://website.local/')
+            'website-default',
+            $this->buildSiteConfiguration(1000, 'https://website.local/default/'),
+        );
+        $this->writeSiteConfiguration(
+            'website-csp-enabled',
+            $this->buildSiteConfiguration(1200, 'https://website.local/csp-enabled/'),
+            csp: [
+                'enforce' => true,
+                'report' => true,
+            ],
         );
     }
 
@@ -86,10 +94,25 @@ protected function tearDown(): void
         parent::tearDown();
     }
 
+    #[Test]
+    public function nonceAttributesAreNotAssignedWhenCspIsDisabled(): void
+    {
+        $response = $this->executeFrontendSubRequest(new InternalRequest('https://website.local/default/welcome'));
+        $dom = new \DOMDocument();
+        $dom->loadHTML((string)$response->getBody());
+        $xpath = new \DOMXPath($dom);
+        $nonceAttrs = $xpath->query('//*[@nonce]');
+
+        self::assertStringStartsWith('max-age=', $response->getHeaderLine('Cache-Control'));
+        self::assertSame('public', $response->getHeaderLine('Pragma'));
+        self::assertEmpty($response->getHeaderLine('Content-Security-Policy'));
+        self::assertCount(0, $nonceAttrs);
+    }
+
     #[Test]
     public function nonceAttributesForAssetsAreUpdated(): void
     {
-        $firstResponse = $this->executeFrontendSubRequest(new InternalRequest('https://website.local/welcome'));
+        $firstResponse = $this->executeFrontendSubRequest(new InternalRequest('https://website.local/csp-enabled/features'));
         $firstCspHeader = $firstResponse->getHeaderLine('Content-Security-Policy');
         $dom = new \DOMDocument();
         $dom->loadHTML((string)$firstResponse->getBody());
@@ -101,8 +124,10 @@ public function nonceAttributesForAssetsAreUpdated(): void
         self::assertSame($firstScriptNonce, $firstLinkNonce);
         self::assertStringContainsString(sprintf("'nonce-%s'", $firstScriptNonce), $firstCspHeader);
         self::assertEmpty($firstResponse->getHeaderLine('X-TYPO3-Debug-Cache'));
+        self::assertNotEmpty($firstResponse->getHeaderLine('Content-Security-Policy-Report-Only'));
+        self::assertSame('private, no-store', $firstResponse->getHeaderLine('Cache-Control'));
 
-        $secondResponse = $this->executeFrontendSubRequest(new InternalRequest('https://website.local/welcome'));
+        $secondResponse = $this->executeFrontendSubRequest(new InternalRequest('https://website.local/csp-enabled/features'));
         $secondCspHeader = $secondResponse->getHeaderLine('Content-Security-Policy');
         $dom = new \DOMDocument();
         $dom->loadHTML((string)$secondResponse->getBody());
@@ -115,6 +140,8 @@ public function nonceAttributesForAssetsAreUpdated(): void
         self::assertNotSame($firstScriptNonce, $secondScriptNonce);
         self::assertStringContainsString(sprintf("'nonce-%s'", $secondScriptNonce), $secondCspHeader);
         self::assertStringStartsWith('Cached page generated', $secondResponse->getHeaderLine('X-TYPO3-Debug-Cache'));
+        self::assertNotEmpty($secondResponse->getHeaderLine('Content-Security-Policy-Report-Only'));
+        self::assertSame('private, no-store', $secondResponse->getHeaderLine('Cache-Control'));
     }
 
     #[Test]
@@ -126,6 +153,6 @@ public function nonceValueSubstitutionIsInvoked(): void
             ->with(self::isArray())
             ->willReturnCallback(static fn(array $context) => $context['content'] ?? null);
         GeneralUtility::addInstance(NonceValueSubstitution::class, $nonceValueSubstitutionMock);
-        $this->executeFrontendSubRequest(new InternalRequest('https://website.local/welcome'));
+        $this->executeFrontendSubRequest(new InternalRequest('https://website.local/csp-enabled/features'));
     }
 }