Epic #87417

Integrate proper Content Security Policy (CSP) handling

Added by Oliver Hader over 3 years ago. Updated 6 months ago.

Status:
New
Priority:
Should have
Assignee:
Category:
Security
Start date:
2019-01-13
Due date:
% Done:

49%

Estimated time:
(Total: 0.00 h)
Sprint Focus:

Description

In order to reduce risks of cross-site scripting in the TYPO3 backend proper CSP handling shall be integrated into the TYPO3 core. Just setting the headers is not enough since also reporting, management and adjustment of core components as well as 3rd party components (extensions) are required.

The functionality is outlined like this

  • CSP management & configuration module (either on a site level or for whole TYPO3 installation)
  • CSP violation reporting endpoint in order to identify flaws and violations earlier (might be misconfiguration or vulnerability)
  • CSP manifest definition that allows 3rd party extensions to use resources of remote hosts (to be used in management module)
  • adjustment and refactoring of TYPO3 core components & guidelines for extension authors

Subtasks

Task #87418: Refactor and remove usage of inline scripts in backendIn Progress2020-04-13

Actions
Task #91015: Reduce inline JavaScript in ext:beuserClosedOliver Hader2020-04-13

Actions
Task #91016: Reduce inline JavaScript in ext:filelistClosedOliver Hader2020-04-13

Actions
Task #91052: Reduce inline onchange events in backend scopeClosedOliver Hader2020-04-15

Actions
Task #91109: Reduce inline JavaScript in ext:redirects and ext:schedulerClosedOliver Hader2020-04-18

Actions
Task #91110: Remove superfluous onclick events in FormEngineClosedOliver Hader2020-04-18

Actions
Task #91111: Reduce inline JavaScript in QueryViewClosedOliver Hader2020-04-18

Actions
Task #91117: Use GlobalEventHandler and ActionDispatcher instead of inline JSClosedOliver Hader2020-04-18

Actions
Task #91120: Remove superfluous inline JavaScript assignment in ext:beuserClosedOliver Hader2020-04-18

Actions
Task #91122: Introduce DocumentService as JQuery.ready substituteClosed2020-04-18

Actions
Task #91123: Avoid inline JavaScript generated by BackendUtility:viewOnClickClosedOliver Hader2020-04-18

Actions
Task #91124: Add substitutes for module menu navigationClosedOliver Hader2021-05-04

Actions
Task #94058: Remove goToModule() inline JavaScript invocationsClosed2021-05-04

Actions
Task #94762: Introduce ModuleStateStorage replacing fsModClosed2021-08-09

Actions
Task #94828: Avoid errors when using ModuleStateStorageClosedBenni Mack2021-08-12

Actions
Task #91125: Add substitutes for declaring static inline settingsClosedOliver Hader2020-04-18

Actions
Task #91132: Reduce inline JavaScript in ext:setupClosedOliver Hader2020-04-19

Actions
Task #91191: Reduce inline JavaScript for refreshing backend componentsClosedOliver Hader2020-04-25

Actions
Task #91786: Replace RequireJS module loading and invocationResolvedOliver Hader2020-07-12

Actions
Task #91787: Deprecate and replace inline JavaScript in FormEngineClosedOliver Hader2020-07-12

Actions
Task #91795: Replace window.open with WindowManager & PreviewUriBuilderClosedOliver Hader2020-07-13

Actions
Task #91804: Remove inline JavaScript from backend paginate view helperClosedOliver Hader2020-07-15

Actions
Task #91815: Remove window.open inline JavaScriptClosedOliver Hader2020-07-17

Actions
Task #91820: Remove inline onclick code from MoveElementControllerClosedOliver Hader2020-07-17

Actions
Task #93899: Replace inline JS of FormEngine reload requestClosed2021-04-11

Actions
Task #94766: Remove obsolete inline JavaScript related to BE routingClosedBenni Mack2021-08-09

Actions
Task #94770: Avoid inline JavaScript in Constant EditorClosedBenni Mack2021-08-10

Actions
Task #94777: Avoid inline JavaScript in DatabaseRecordListClosedOliver Bartsch2021-08-10

Actions
Task #95200: Streamline requireJS usage in FormEngineClosed2021-09-12

Actions
Task #95260: Substitute inline onclick events for ShortcutMenuClosed2021-09-17

Actions
Task #95266: Remove inline JavaScript from Install ToolClosed2021-09-17

Actions
Task #95276: Clean up code & add deprecation commentsClosed2021-09-20

Actions
Task #95277: Refactor new content element realmClosed2021-09-20

Actions
Task #95278: Deprecate inline JavaScript in ModuleTemplate componentsClosed2021-09-20

Actions
Task #95873: Use explicit JavaScript module instructions in dashboardResolvedOliver Hader2021-11-04

Actions
Task #95874: Avoid JavaScript eval function in FormEngine AjaxDispatcherClosedOliver Hader2021-11-04

Actions
Task #95896: Remove inline JavaScript in ViewModuleResolvedTorben Hansen2021-11-07

Actions
Task #95953: Transform JavaScriptHander.js to be hybrid IIFE and AMDResolvedOliver Hader2021-11-10

Actions
Task #95954: Reduce inline JavaScript in FormEngine AJAX responsesResolvedOliver Hader2021-11-10

Actions
Task #95989: Avoid inline JavaScript in SchedulerResolvedOliver Hader2021-11-15

Actions
Task #96002: Avoid inline JavaScript in backend update signalsResolvedOliver Hader2021-11-16

Actions
Task #96003: Avoid inline JavaScript in DispatchNotificationHookResolvedOliver Hader2021-11-16

Actions
Task #96012: Avoid inline JavaScript in OpendocsToolbarItem::updateNumberOfOpenDocsHookResolved2021-11-17

Actions
Task #96018: Avoid inline JavaScript in f:be.menus.actionMenuResolvedOliver Hader2021-11-17

Actions
Task #96019: Avoid inline JavaScript in wizard EditControllerResolvedOliver Hader2021-11-17

Actions
Task #96020: Deprecate \TYPO3\CMS\Backend\Form\Behavior\OnFieldChangeInterfaceOn Hold2021-11-17

Actions
Task #96136: Deprecate inline JavaScript in backend update signalsResolved2021-11-29

Actions
Task #96158: Remove support for inline JavaScript in fieldChangeFuncResolved2021-11-30

Actions
Task #96185: Avoid inline JavaScript in LinkBrowserControllerResolved2021-12-02

Actions
Task #96187: Avoid CKEditor4 inline JavaScriptAccepted2021-12-02

Actions
Task #96524: Deprecate inline JavaScript in DashboardResolved2022-01-12

Actions
Task #96565: Avoid inline javascript for clipboard paste in PageLayoutControllerResolvedBenjamin Franzke2022-01-18

Actions
Task #96566: Streamline DragUploader JavaScriptModuleInstructionResolvedBenjamin Franzke2022-01-18

Actions
Task #87419: Deprecate functionality used to add inline styles & scriptsOn Hold2019-01-13

Actions
Feature #87420: Integrate signatures for Stylesheet and JavaScript resourcesAccepted2019-01-13

Actions
Feature #87421: Integrate CSP reporting endpointAccepted2019-01-13

Actions
Task #87422: Integrate extension meta-manifestAccepted2019-01-13

Actions
Feature #87423: Integrate CSP management moduleAccepted2019-01-13

Actions
Task #91785: Refactor and remove inline styles in backendAcceptedOliver Hader2020-04-28

Actions
Task #91216: Replace <style> for compliance with CSP headerClosed2020-04-28

Actions
Task #91806: Deprecate BackendUtility::viewOnClickClosedOliver Hader2020-07-16

Actions
Task #91814: Deprecate TYPO3\CMS\Backend\Template\Components\AbstractControl::setOnClickClosedOliver Hader2020-07-17

Actions
Task #95898: Extend build process to monitor Content Security Policy violationsResolved2021-11-07

Actions

Related issues

Related to TYPO3 Core - Task #73047: Content-Security-Policy for the BackendClosed2016-01-31

Actions
Related to TYPO3 Core - Task #95041: Extract default inline frontend JavaScriptClosed2021-08-30

Actions
Related to TYPO3 Core - Task #95151: Replace inline JavaScript in AbstractPluginClosed2021-09-08

Actions

Also available in: Atom PDF