Project

General

Profile

Actions

Epic #87417

open

Integrate proper Content Security Policy (CSP) handling

Added by Oliver Hader about 5 years ago. Updated 6 months ago.

Status:
New
Priority:
Should have
Assignee:
Category:
Security
Start date:
2019-01-13
Due date:
% Done:

87%

Estimated time:
(Total: 0.00 h)
Sprint Focus:

Description

In order to reduce risks of cross-site scripting in the TYPO3 backend proper CSP handling shall be integrated into the TYPO3 core. Just setting the headers is not enough since also reporting, management and adjustment of core components as well as 3rd party components (extensions) are required.

The functionality is outlined like this

  • CSP management & configuration module (either on a site level or for whole TYPO3 installation)
  • CSP violation reporting endpoint in order to identify flaws and violations earlier (might be misconfiguration or vulnerability)
  • CSP manifest definition that allows 3rd party extensions to use resources of remote hosts (to be used in management module)
  • adjustment and refactoring of TYPO3 core components & guidelines for extension authors

Subtasks 88 (9 open79 closed)

Task #87418: Refactor and remove usage of inline scripts in backendIn Progress2020-04-13

Actions
Task #91015: Reduce inline JavaScript in ext:beuserClosedOliver Hader2020-04-13

Actions
Task #91016: Reduce inline JavaScript in ext:filelistClosedOliver Hader2020-04-13

Actions
Task #91052: Reduce inline onchange events in backend scopeClosedOliver Hader2020-04-15

Actions
Task #91109: Reduce inline JavaScript in ext:redirects and ext:schedulerClosedOliver Hader2020-04-18

Actions
Task #91110: Remove superfluous onclick events in FormEngineClosedOliver Hader2020-04-18

Actions
Task #91111: Reduce inline JavaScript in QueryViewClosedOliver Hader2020-04-18

Actions
Task #91117: Use GlobalEventHandler and ActionDispatcher instead of inline JSClosedOliver Hader2020-04-18

Actions
Task #91120: Remove superfluous inline JavaScript assignment in ext:beuserClosedOliver Hader2020-04-18

Actions
Task #91122: Introduce DocumentService as JQuery.ready substituteClosed2020-04-18

Actions
Task #91123: Avoid inline JavaScript generated by BackendUtility:viewOnClickClosedOliver Hader2020-04-18

Actions
Task #91124: Add substitutes for module menu navigationClosedOliver Hader2021-05-04

Actions
Task #94058: Remove goToModule() inline JavaScript invocationsClosed2021-05-04

Actions
Task #94762: Introduce ModuleStateStorage replacing fsModClosed2021-08-09

Actions
Task #94828: Avoid errors when using ModuleStateStorageClosedBenni Mack2021-08-12

Actions
Task #91125: Add substitutes for declaring static inline settingsClosedOliver Hader2020-04-18

Actions
Task #91132: Reduce inline JavaScript in ext:setupClosedOliver Hader2020-04-19

Actions
Task #91191: Reduce inline JavaScript for refreshing backend componentsClosedOliver Hader2020-04-25

Actions
Task #91786: Replace RequireJS module loading and invocationClosedOliver Hader2020-07-12

Actions
Task #91787: Deprecate and replace inline JavaScript in FormEngineClosedOliver Hader2020-07-12

Actions
Task #91795: Replace window.open with WindowManager & PreviewUriBuilderClosedOliver Hader2020-07-13

Actions
Task #91804: Remove inline JavaScript from backend paginate view helperClosedOliver Hader2020-07-15

Actions
Task #91815: Remove window.open inline JavaScriptClosedOliver Hader2020-07-17

Actions
Task #91820: Remove inline onclick code from MoveElementControllerClosedOliver Hader2020-07-17

Actions
Task #93899: Replace inline JS of FormEngine reload requestClosed2021-04-11

Actions
Task #94766: Remove obsolete inline JavaScript related to BE routingClosedBenni Mack2021-08-09

Actions
Task #94770: Avoid inline JavaScript in Constant EditorClosedBenni Mack2021-08-10

Actions
Task #94777: Avoid inline JavaScript in DatabaseRecordListClosedOliver Bartsch2021-08-10

Actions
Task #95200: Streamline requireJS usage in FormEngineClosed2021-09-12

Actions
Task #95260: Substitute inline onclick events for ShortcutMenuClosed2021-09-17

Actions
Task #95266: Remove inline JavaScript from Install ToolClosed2021-09-17

Actions
Task #95276: Clean up code & add deprecation commentsClosed2021-09-20

Actions
Task #95277: Refactor new content element realmClosed2021-09-20

Actions
Task #95278: Deprecate inline JavaScript in ModuleTemplate componentsClosed2021-09-20

Actions
Task #95873: Use explicit JavaScript module instructions in dashboardClosedOliver Hader2021-11-04

Actions
Task #95874: Avoid JavaScript eval function in FormEngine AjaxDispatcherClosedOliver Hader2021-11-04

Actions
Task #95896: Remove inline JavaScript in ViewModuleClosedTorben Hansen2021-11-07

Actions
Task #95953: Transform JavaScriptHander.js to be hybrid IIFE and AMDClosedOliver Hader2021-11-10

Actions
Task #95954: Reduce inline JavaScript in FormEngine AJAX responsesClosedOliver Hader2021-11-10

Actions
Task #95989: Avoid inline JavaScript in SchedulerClosedOliver Hader2021-11-15

Actions
Task #96002: Avoid inline JavaScript in backend update signalsClosedOliver Hader2021-11-16

Actions
Task #96003: Avoid inline JavaScript in DispatchNotificationHookClosedOliver Hader2021-11-16

Actions
Task #96012: Avoid inline JavaScript in OpendocsToolbarItem::updateNumberOfOpenDocsHookClosed2021-11-17

Actions
Task #96018: Avoid inline JavaScript in f:be.menus.actionMenuClosedOliver Hader2021-11-17

Actions
Task #96019: Avoid inline JavaScript in wizard EditControllerClosedOliver Hader2021-11-17

Actions
Task #96020: Deprecate \TYPO3\CMS\Backend\Form\Behavior\OnFieldChangeInterfaceClosed2021-11-17

Actions
Task #96136: Deprecate inline JavaScript in backend update signalsClosed2021-11-29

Actions
Task #96158: Remove support for inline JavaScript in fieldChangeFuncClosed2021-11-30

Actions
Task #96185: Avoid inline JavaScript in LinkBrowserControllerClosed2021-12-02

Actions
Task #96187: Avoid CKEditor4 inline JavaScriptClosed2021-12-02

Actions
Task #96524: Deprecate inline JavaScript in DashboardClosed2022-01-12

Actions
Task #96565: Avoid inline javascript for clipboard paste in PageLayoutControllerClosedBenjamin Franzke2022-01-18

Actions
Task #96566: Streamline DragUploader JavaScriptModuleInstructionClosedBenjamin Franzke2022-01-18

Actions
Bug #99917: Get rid of newly introduced inline JavaScript "javascript:;"ResolvedFrank Nägler2023-02-10

Actions
Task #87419: Deprecate functionality used to add inline styles & scriptsClosed2019-01-13

Actions
Feature #87420: Integrate signatures for Stylesheet and JavaScript resourcesClosed2019-01-13

Actions
Feature #87421: Integrate CSP reporting endpointClosed2019-01-13

Actions
Task #87422: Integrate extension meta-manifestAccepted2019-01-13

Actions
Feature #87423: Integrate CSP management moduleClosed2019-01-13

Actions
Task #91785: Refactor and remove inline styles in backendAcceptedOliver Hader2020-04-28

Actions
Task #91216: Replace <style> for compliance with CSP headerClosed2020-04-28

Actions
Task #91806: Deprecate BackendUtility::viewOnClickClosedOliver Hader2020-07-16

Actions
Task #91814: Deprecate TYPO3\CMS\Backend\Template\Components\AbstractControl::setOnClickClosedOliver Hader2020-07-17

Actions
Task #95898: Extend build process to monitor Content Security Policy violationsClosed2021-11-07

Actions
Feature #99499: Introduce Content Security Policy handlingUnder ReviewOliver Hader2023-03-01

Actions
Feature #100055: Introduce Content Security Policy headersClosed2023-03-01

Actions
Feature #100056: Introduce Content Security Policy reporting & inspectionClosed2023-03-01

Actions
Task #100140: Properly handle inline stylesheetsClosed2023-03-11

Actions
Task #100141: Add possibility to add resource hashesClosedOliver Hader2023-03-11

Actions
Task #100190: Fix RST documentation issuesClosed2023-03-17

Actions
Task #100413: Add policy inspection & management to Content-Security-Policy moduleUnder ReviewOliver Hader2023-04-03

Actions
Bug #100446: Add youtube-nocookie.com to static CSP declarationsResolvedOliver Hader2023-04-04

Actions
Bug #100460: Page preview of different domain cannot be shown in web>view moduleResolvedOliver Hader2023-04-05

Actions
Task #100691: Track CSP nonce consumptionClosed2023-04-20

Actions
Task #100903: Add Facebook In-App HandlerUnder ReviewOliver Hader2023-05-20

Actions
Bug #100904: Fallback to script-src and style-srcNewOliver Hader2023-05-20

Actions
Bug #100905: Deny base-uri and object-src per defaultResolvedOliver Hader2023-05-20

Actions
Task #100906: Handle CSP violations in browser extensionsNew2023-05-20

Actions
Bug #101460: Allow strict-dynamic only for applicable CSP directivesResolved2023-07-27

Actions
Bug #101477: Extend CSP directives and sourcesResolvedOliver Hader2023-07-28

Actions
Task #101751: Use ConsumableNonce instead of blunt Nonce in CSP contextClosedOliver Hader2023-08-25

Actions
Task #100587: Deprecate form engine result property additionalJavaScriptPost & inline JavaScript customEvalClosed2023-04-14

Actions
Task #100616: Add docheader buttons to CSP moduleUnder ReviewChris Müller2023-04-16

Actions
Bug #100618: CSP module: Mute and delete of violations do not workResolved2023-04-16

Actions
Bug #100621: CSP: Reduce a directive by a URL in csp.yaml is not workingResolved2023-04-16

Actions
Task #100664: Allow using nonce values explicitly in PageRenderer methods handling inline codeClosed2023-04-19

Actions
Bug #100665: Handle dynamic nonce update in cached HTML markupResolved2023-04-19

Actions
Task #100667: Apply nonce hint (window.litNonce) on demand onlyClosed2023-04-19

Actions

Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Task #73047: Content-Security-Policy for the BackendClosed2016-01-31

Actions
Related to TYPO3 Core - Task #95041: Extract default inline frontend JavaScriptClosed2021-08-30

Actions
Related to TYPO3 Core - Task #95151: Replace inline JavaScript in AbstractPluginClosed2021-09-08

Actions
Actions #1

Updated by Oliver Hader about 5 years ago

  • Related to Task #73047: Content-Security-Policy for the Backend added
Actions #2

Updated by Oliver Hader about 5 years ago

  • Assignee deleted (Oliver Hader)
Actions #3

Updated by Oliver Hader about 5 years ago

  • Assignee set to Oliver Hader
Actions #4

Updated by Oliver Hader over 2 years ago

  • Related to Task #95041: Extract default inline frontend JavaScript added
Actions #5

Updated by Oliver Hader over 2 years ago

  • Related to Task #95151: Replace inline JavaScript in AbstractPlugin added
Actions #6

Updated by Oliver Hader about 1 year ago

  • Subtask #99499 added
Actions #7

Updated by Oliver Hader 11 months ago

  • Subtask #100587 added
Actions #8

Updated by Chris Müller 10 months ago

  • Subtask #100616 added
Actions #9

Updated by Chris Müller 10 months ago

  • Subtask #100618 added
Actions #10

Updated by Chris Müller 10 months ago

  • Subtask #100621 added
Actions #11

Updated by Oliver Hader 10 months ago

  • Subtask #100664 added
Actions #12

Updated by Oliver Hader 10 months ago

  • Subtask #100665 added
Actions #13

Updated by Oliver Hader 10 months ago

  • Subtask #100667 added
Actions

Also available in: Atom PDF