From 6f3b519477930d50d3fe393d29539c97c0d2df99 Mon Sep 17 00:00:00 2001
From: Daniel Siepmann <coding@daniel-siepmann.de>
Date: Tue, 8 Aug 2023 07:57:08 +0200
Subject: [PATCH] Remove unnecessary TYPO3 defaults from CSP

TYPO3 adds some defaults which my website doesn't use.
These are removed to keep the website more secure and reduce transferred
header size.
---
 .../ContentSecurityPolicyMutation.php         | 48 +++++++++++++++++++
 Configuration/Services.yaml                   |  5 ++
 2 files changed, 53 insertions(+)
 create mode 100644 Classes/EventListener/ContentSecurityPolicyMutation.php

diff --git a/Classes/EventListener/ContentSecurityPolicyMutation.php b/Classes/EventListener/ContentSecurityPolicyMutation.php
new file mode 100644
index 0000000..0aaac28
--- /dev/null
+++ b/Classes/EventListener/ContentSecurityPolicyMutation.php
@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Copyright (C) 2023 Daniel Siepmann <coding@daniel-siepmann.de>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+namespace DanielSiepmann\DsSite\EventListener;
+
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Directive;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Event\PolicyMutatedEvent;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Scope;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\UriValue;
+
+class ContentSecurityPolicyMutation
+{
+    public function __invoke(PolicyMutatedEvent $event): void
+    {
+        if ($event->scope !== Scope::frontend()) {
+            return;
+        }
+
+        $policy = $event->getCurrentPolicy();
+
+        $policy->remove(Directive::FrameSrc);
+        $policy->reduce(
+            Directive::ImgSrc,
+            new UriValue('*.ytimg.com'),
+            new UriValue('*.vimeocdn.com')
+        );
+    }
+}
diff --git a/Configuration/Services.yaml b/Configuration/Services.yaml
index 829902a..f26d495 100644
--- a/Configuration/Services.yaml
+++ b/Configuration/Services.yaml
@@ -77,3 +77,8 @@ services:
     tags:
       - name: event.listener
         event: TYPO3\CMS\Backend\Controller\Event\ModifyPageLayoutContentEvent
+
+  DanielSiepmann\DsSite\EventListener\ContentSecurityPolicyMutation:
+    tags:
+      - name: event.listener
+        event: TYPO3\CMS\Core\Security\ContentSecurityPolicy\Event\PolicyMutatedEvent