Project

General

Profile

Actions

Feature #104470

closed

CSP - Report-Only mode

Added by cosmoblonde GmbH 4 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Content Security Policy
Target version:
-
Start date:
2024-07-24
Due date:
% Done:

100%

Estimated time:
PHP Version:
8.2
Tags:
Complexity:
Sprint Focus:

Description

Implementing a proper CSP for a complex TYPO3 site using many external sources, scripts and stuff is a nasty and timeconsuming task.

So although it's great that CSP violations can be tracked with TYPO3 in the CSP BE module - it would be good if a Report-Only Tracking could be set via configuration. So a website can run a while in reporting-mode and you can collect the issues and fix them.

We do not find any configuration flags that would enable a Report-Only mode.

You can turn on
SYS.features.security.backend.enforceContentSecurityPolicy
and/or
SYS.features.security.frontend.enforceContentSecurityPolicy

but this does directly activate the CSP - so the FE may become unusable and this is not suitable for a live site.

Or is this already possible and we have just missed the respective documentation?


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Feature #101580: Add feature flag to enable CSP ReportOnly modeClosedOliver Hader2023-08-04

Actions
Actions

Also available in: Atom PDF