Integrate proper Content Security Policy (CSP) handling
In order to reduce risks of cross-site scripting in the TYPO3 backend proper CSP handling shall be integrated into the TYPO3 core. Just setting the headers is not enough since also reporting, management and adjustment of core components as well as 3rd party components (extensions) are required.
The functionality is outlined like this
- CSP management & configuration module (either on a site level or for whole TYPO3 installation)
- CSP violation reporting endpoint in order to identify flaws and violations earlier (might be misconfiguration or vulnerability)
- CSP manifest definition that allows 3rd party extensions to use resources of remote hosts (to be used in management module)
- adjustment and refactoring of TYPO3 core components & guidelines for extension authors