Task #73047
closed
Content-Security-Policy for the Backend
0%
Description
There is still (7.6) CSP Issues in the backend (/typo3) and I am wondering why ticket 63712 has been closed.
We should add a fitting CSP to the .htaccess in /typo3. Currently I am adding
Header set Content-Security-Policy "default-src * 'unsafe-eval' 'unsafe-inline';
in /typo3/.htaccess to overrule the more strict CSP of the website itself and make the backend work as well.
It would be a nice security feature if the TYPO3 backend would support a stricter CSP.
Updated by
Updated by Frans Saris about 7 years ago
Peter,
do you have an idea what parts are now preventing us from using a stricter Content-Security-Policy?
Updated by Felix Nagel almost 7 years ago
Looks like the Ext JS 3.4 script uses eval.
Having a htaccess file in /typo3 source folder would be a nice thing anyway, as one needs to add those manually in order to have strict CSP in FE.
Updated by Oliver Hader almost 6 years ago
- Related to Epic #87417: Integrate proper Content Security Policy (CSP) handling added
Updated by Oliver Hader almost 6 years ago
- Status changed from New to Closed
Please continue in issue #87417 which (now) contains a more detailed list of required tasks.