Epic #87417

Integrate proper Content Security Policy (CSP) handling

Added by Oliver Hader over 2 years ago. Updated 1 day ago.

Status:
New
Priority:
Should have
Assignee:
Category:
Security
Start date:
2019-01-13
Due date:
% Done:

19%

Estimated time:
(Total: 0.00 h)
Sprint Focus:

Description

In order to reduce risks of cross-site scripting in the TYPO3 backend proper CSP handling shall be integrated into the TYPO3 core. Just setting the headers is not enough since also reporting, management and adjustment of core components as well as 3rd party components (extensions) are required.

The functionality is outlined like this

  • CSP management & configuration module (either on a site level or for whole TYPO3 installation)
  • CSP violation reporting endpoint in order to identify flaws and violations earlier (might be misconfiguration or vulnerability)
  • CSP manifest definition that allows 3rd party extensions to use resources of remote hosts (to be used in management module)
  • adjustment and refactoring of TYPO3 core components & guidelines for extension authors

Subtasks

Task #87418: Refactor and remove usage of inline scripts in backendAccepted2020-04-13

Actions
Task #91015: Reduce inline JavaScript in ext:beuserClosedOliver Hader2020-04-13

Actions
Task #91016: Reduce inline JavaScript in ext:filelistClosedOliver Hader2020-04-13

Actions
Task #91052: Reduce inline onchange events in backend scopeClosedOliver Hader2020-04-15

Actions
Task #91109: Reduce inline JavaScript in ext:redirects and ext:schedulerClosedOliver Hader2020-04-18

Actions
Task #91110: Remove superfluous onclick events in FormEngineClosedOliver Hader2020-04-18

Actions
Task #91111: Reduce inline JavaScript in QueryViewClosedOliver Hader2020-04-18

Actions
Task #91117: Use GlobalEventHandler and ActionDispatcher instead of inline JSClosedOliver Hader2020-04-18

Actions
Task #91120: Remove superfluous inline JavaScript assignment in ext:beuserClosedOliver Hader2020-04-18

Actions
Task #91122: Introduce DocumentService as JQuery.ready substituteClosed2020-04-18

Actions
Task #91123: Avoid inline JavaScript generated by BackendUtility:viewOnClickClosedOliver Hader2020-04-18

Actions
Task #91124: Add substitutes for module menu navigationNewOliver Hader2021-05-04

Actions
Task #94058: Remove goToModule() inline JavaScript invocationsResolved2021-05-04

Actions
Task #91125: Add substitutes for declaring static inline settingsNewOliver Hader2020-04-18

Actions
Task #91132: Reduce inline JavaScript in ext:setupClosedOliver Hader2020-04-19

Actions
Task #91191: Reduce inline JavaScript for refreshing backend componentsClosedOliver Hader2020-04-25

Actions
Task #91786: Replace RequireJS module loading and invocationNewOliver Hader2020-07-12

Actions
Task #91787: Deprecate and replace inline JavaScript in FormEngineNewOliver Hader2020-07-12

Actions
Task #91795: Replace window.open with WindowManager & PreviewUriBuilderNewOliver Hader2020-07-13

Actions
Task #91804: Remove inline JavaScript from backend paginate view helperClosedOliver Hader2020-07-15

Actions
Task #91815: Remove window.open inline JavaScriptUnder ReviewOliver Hader2020-07-17

Actions
Task #91820: Remove inline onclick code from MoveElementControllerClosedOliver Hader2020-07-17

Actions
Task #87419: Deprecate functionality used to add inline styles & scriptsNew2019-01-13

Actions
Feature #87420: Integrate signatures for Stylesheet and JavaScript resourcesNew2019-01-13

Actions
Feature #87421: Integrate CSP reporting endpointNew2019-01-13

Actions
Task #87422: Integrate remote resource manifestNew2019-01-13

Actions
Feature #87423: Integrate CSP management moduleNew2019-01-13

Actions
Task #91785: Refactor and remove inline styles in backendNewOliver Hader2020-04-28

Actions
Task #91216: Replace <style> for compliance with CSP headerClosed2020-04-28

Actions
Task #91806: Deprecate BackendUtility::viewOnClickUnder ReviewOliver Hader2020-07-16

Actions
Task #91814: Deprecate AbstractController::setOnClickNewOliver Hader2020-07-17

Actions

Related issues

Related to TYPO3 Core - Task #73047: Content-Security-Policy for the BackendClosed2016-01-31

Actions
#1

Updated by Oliver Hader over 2 years ago

  • Related to Task #73047: Content-Security-Policy for the Backend added
#2

Updated by Oliver Hader over 2 years ago

  • Assignee deleted (Oliver Hader)
#3

Updated by Oliver Hader over 2 years ago

  • Assignee set to Oliver Hader

Also available in: Atom PDF