TYPO3 Core

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80397

Having a Report-Only option is a good step in the right direction, but I don't think a feature flag that simply changes the header to Report-Only is the way to approach this "problem".

IMO there should be an option to send both a Content-Security-Policy AND a Content-Security-Policy-Report-Only header, each with their own configuration for the policy.

Without both headers you either
a) potentially break users' experience when applying a stricter policy or
b) remove all policy enforcement when testing a new (stricter) policy with the report-only mode.

Having both headers allows changes to the CSP to be audited and tested, and reacted to, without the drawbacks I mentioned above.
This would be especially useful for older and/or larger projects where the new (at least to TYPO3) CSP feature should be added.
Without the possibility to safely test the changes I feel like an unnecessarily loose CSP would become standard in fear of breaking something.
Better than no CSP, but this should not be the goal.

What do you think @Oliver Hader ?
You implemented the whole CSP functionality as far as I know.