Epic #87417

Integrate proper Content Security Policy (CSP) handling

Added by Oliver Hader about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Should have
Assignee:
Category:
Security
Start date:
2019-01-13
Due date:
% Done:

0%

Sprint Focus:

Description

In order to reduce risks of cross-site scripting in the TYPO3 backend proper CSP handling shall be integrated into the TYPO3 core. Just setting the headers is not enough since also reporting, management and adjustment of core components as well as 3rd party components (extensions) are required.

The functionality is outlined like this

  • CSP management & configuration module (either on a site level or for whole TYPO3 installation)
  • CSP violation reporting endpoint in order to identify flaws and violations earlier (might be misconfiguration or vulnerability)
  • CSP manifest definition that allows 3rd party extensions to use resources of remote hosts (to be used in management module)
  • adjustment and refactoring of TYPO3 core components & guidelines for extension authors

Subtasks

Task #87418: Refactor and remove usage of inline scripts in backendNew

Task #87419: Deprecate functionality used to add inline styles & scriptsNew

Feature #87420: Integrate signatures for Stylesheet and JavaScript resourcesNew

Feature #87421: Integrate CSP reporting endpointNew

Task #87422: Integrate remote resource manifestNew

Feature #87423: Integrate CSP management moduleNew


Related issues

Related to TYPO3 Core - Task #73047: Content-Security-Policy for the Backend Closed 2016-01-31

History

#1 Updated by Oliver Hader about 1 month ago

  • Related to Task #73047: Content-Security-Policy for the Backend added

#2 Updated by Oliver Hader about 1 month ago

  • Assignee deleted (Oliver Hader)

#3 Updated by Oliver Hader about 1 month ago

  • Assignee set to Oliver Hader

Also available in: Atom PDF