Project

General

Profile

Actions
Copy link

Bug #101477

closed

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Feature #99499: Introduce Content Security Policy handling

Extend CSP directives and sources

Added by Oliver Hader 9 months ago. Updated 9 months ago.

Status:
Resolved
Priority:
Should have
Assignee:
Oliver Hader
Category:
Security
Target version:
-
Start date:
2023-07-28
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The CSP directives 'report-to', 'require-trusted-types-for' and
'trusted-types' have been added. Albeit there aren't any typed value
counterparts yet, they can be wrapped in a RawValue object, e.g.

new Mutation(
  MutationMode::Set,
  Directive::RequireTrustedTypesFor,
  new RawValue("'script'")
),

The cases for 'unsafe-hashes' and 'strict-dynamic' were accidentally
added as directives instead of source keywords and have been removed.

The source schemes 'filesystem:' and 'mediastream' have been added.

Besides that, the frontend CSP configuration now limits using the
<base> element to same-origin URIs. The backend CSP configuration
is now even stricter since using <base> , <embed> and <object>
elements is blocked.

Related issues 1 (0 open1 closed)

Has duplicate TYPO3 Core - Bug #100905: Deny base-uri and object-src per defaultResolvedOliver Hader2023-05-20

Actions
Actions
Copy link
 #1

Updated by Oliver Hader 9 months ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Gerrit Code Review 9 months ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80204

Actions
Copy link
 #3

Updated by Oliver Hader 9 months ago

  • Tracker changed from Task to Bug
Actions
Copy link
 #4

Updated by Gerrit Code Review 9 months ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80204

Actions
Copy link
 #5

Updated by Gerrit Code Review 9 months ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80204

Actions
Copy link
 #6

Updated by Gerrit Code Review 9 months ago

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80208

Actions
Copy link
 #7

Updated by Oliver Hader 9 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #8

Updated by Oliver Hader 8 months ago

  • Has duplicate Bug #100905: Deny base-uri and object-src per default added
Actions
Copy link

Also available in: Atom PDF