Project

General

Profile

Actions
Copy link

Bug #101477

closed

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Feature #99499: Introduce Content Security Policy handling

Extend CSP directives and sources

Added by Oliver Hader over 1 year ago. Updated 4 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Oliver Hader
Category:
Security
Target version:
-
Start date:
2023-07-28
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The CSP directives 'report-to', 'require-trusted-types-for' and
'trusted-types' have been added. Albeit there aren't any typed value
counterparts yet, they can be wrapped in a RawValue object, e.g.

new Mutation(
  MutationMode::Set,
  Directive::RequireTrustedTypesFor,
  new RawValue("'script'")
),

The cases for 'unsafe-hashes' and 'strict-dynamic' were accidentally
added as directives instead of source keywords and have been removed.

The source schemes 'filesystem:' and 'mediastream' have been added.

Besides that, the frontend CSP configuration now limits using the
<base> element to same-origin URIs. The backend CSP configuration
is now even stricter since using <base> , <embed> and <object>
elements is blocked.

Related issues 1 (0 open1 closed)

Has duplicate TYPO3 Core - Bug #100905: Deny base-uri and object-src per defaultClosedOliver Hader2023-05-20

Actions
Actions
Copy link

Also available in: Atom PDF