Project

General

Profile

Actions

Task #73047

closed

Content-Security-Policy for the Backend

Added by Peter Proell about 8 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2016-01-31
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

There is still (7.6) CSP Issues in the backend (/typo3) and I am wondering why ticket 63712 has been closed.
We should add a fitting CSP to the .htaccess in /typo3. Currently I am adding

Header set Content-Security-Policy "default-src * 'unsafe-eval' 'unsafe-inline';

in /typo3/.htaccess to overrule the more strict CSP of the website itself and make the backend work as well.
It would be a nice security feature if the TYPO3 backend would support a stricter CSP.

Infos on CSP:

Related issues 2 (1 open1 closed)

Related to TYPO3 Core - Task #63712: Avoid use of eval() and replace itClosed2015-09-30

Actions
Related to TYPO3 Core - Epic #87417: Integrate proper Content Security Policy (CSP) handlingNewOliver Hader2019-01-13

Actions
Actions #1

Updated by Riccardo De Contardi over 7 years ago

  • Category set to Security
Actions #2

Updated by Frans Saris over 6 years ago

Peter,

do you have an idea what parts are now preventing us from using a stricter Content-Security-Policy?

Actions #3

Updated by Felix Nagel about 6 years ago

Looks like the Ext JS 3.4 script uses eval.

Having a htaccess file in /typo3 source folder would be a nice thing anyway, as one needs to add those manually in order to have strict CSP in FE.

Actions #4

Updated by Oliver Hader about 5 years ago

  • Related to Epic #87417: Integrate proper Content Security Policy (CSP) handling added
Actions #5

Updated by Oliver Hader about 5 years ago

  • Status changed from New to Closed

Please continue in issue #87417 which (now) contains a more detailed list of required tasks.

Actions

Also available in: Atom PDF