TYPO3 Core

We use TYPO3 12 (12.4.15) Content Security Policy to generate CSP Header for Frontend.

All regular pages return the correct CSP Header. But the custom 404 page does not respond with CSP Header.

We have configurated the 404 page as following in config.yaml (Site Configuration):

errorHandling:
  -
    errorCode: '404'
    errorHandler: Page
    errorContentSource: 't3://page?uid=40'

Examples:

Regular Page, return correct CSP Header (Configurated via TYPO3):

curl -I http://example.local/start.html
HTTP/1.1 200 OK
...
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: ...; report-uri http://example.local/@http-reporting?csp=report&requestTime=1721998569681665

A page with does not exists (Error 404), does not return CSP Header.

curl -I http://example.local/this-page-does-not-exists.html
HTTP/1.1 404 Not Found
... 
(no CSP Header at all)

The Page with uid 40, return correct CSP Header (Its also a regular TYPO3 Page)

curl -I http://example.local/404.html
HTTP/1.1 200 OK
...
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: ...; report-uri http://example.local/@http-reporting?csp=report&requestTime=1721998999557088

Expected Result:

A page wich is not found and return 404 should also sent the CSP Header.

Our current Hotfix (workaround):

Add fallback CSP to .htaccess to if no CSP header is present in response:

<IfModule mod_headers.c>
<FilesMatch ".*"> # Hotfix: Hardcoded Copy from TYPO3 CSP
Header setifempty Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: ...;"
</FilesMatch>
</IfModule>