Epic #87417

Integrate proper Content Security Policy (CSP) handling

Added by Oliver Hader over 1 year ago. Updated 6 days ago.

Status:
New
Priority:
Should have
Assignee:
Category:
Security
Start date:
2019-01-13
Due date:
% Done:

12%

Sprint Focus:

Description

In order to reduce risks of cross-site scripting in the TYPO3 backend proper CSP handling shall be integrated into the TYPO3 core. Just setting the headers is not enough since also reporting, management and adjustment of core components as well as 3rd party components (extensions) are required.

The functionality is outlined like this

  • CSP management & configuration module (either on a site level or for whole TYPO3 installation)
  • CSP violation reporting endpoint in order to identify flaws and violations earlier (might be misconfiguration or vulnerability)
  • CSP manifest definition that allows 3rd party extensions to use resources of remote hosts (to be used in management module)
  • adjustment and refactoring of TYPO3 core components & guidelines for extension authors

Subtasks

Task #87418: Refactor and remove usage of inline scripts in backendAccepted

Task #91015: Reduce inline JavaScript in ext:beuserClosedOliver Hader

Task #91016: Reduce inline JavaScript in ext:filelistClosedOliver Hader

Task #91052: Reduce inline onchange events in backend scopeClosedOliver Hader

Task #91109: Reduce inline JavaScript in ext:redirects and ext:schedulerClosedOliver Hader

Task #91110: Remove superfluous onclick events in FormEngineClosedOliver Hader

Task #91111: Reduce inline JavaScript in QueryViewClosedOliver Hader

Task #91117: Use GlobalEventHandler and ActionDispatcher instead of inline JSClosedOliver Hader

Task #91120: Remove superfluous inline JavaScript assignment in ext:beuserClosedOliver Hader

Task #91122: Introduce DocumentService as JQuery.ready substituteClosed

Task #91123: Avoid inline JavaScript generated by BackendUtility:viewOnClickUnder ReviewOliver Hader

Task #91124: Add substitutes for module menu navigationNewOliver Hader

Task #91125: Add substitutes for declaring static inline settingsNewOliver Hader

Task #91132: Reduce inline JavaScript in ext:setupResolvedOliver Hader

Task #91191: Reduce inline JavaScript for refreshing backend componentsUnder ReviewOliver Hader

Task #87419: Deprecate functionality used to add inline styles & scriptsNew

Feature #87420: Integrate signatures for Stylesheet and JavaScript resourcesNew

Feature #87421: Integrate CSP reporting endpointNew

Task #87422: Integrate remote resource manifestNew

Feature #87423: Integrate CSP management moduleNew


Related issues

Related to TYPO3 Core - Task #73047: Content-Security-Policy for the Backend Closed 2016-01-31

History

#1 Updated by Oliver Hader over 1 year ago

  • Related to Task #73047: Content-Security-Policy for the Backend added

#2 Updated by Oliver Hader over 1 year ago

  • Assignee deleted (Oliver Hader)

#3 Updated by Oliver Hader over 1 year ago

  • Assignee set to Oliver Hader

Also available in: Atom PDF