TYPO3 Core

In order to actively monitor a possible introduction of new inline JavaScript in TYPO3 core, we could extend the acceptance test build process on GitLab CI as following:

1. Extend TYPO3 instance used for acceptance tests to use a Content-Security-Policy-Report-Only header which reports violations using the report-uri directive to a known endpoint (see 2.)
2. Add a CSP violation endpoint to TYPO3 core, which is only available when running acceptance tests (e.g. could be a dedicated package as dev dependency). The endpoint simply collects all CSP violations to a logfile.
3. Analyze logfile for potential new CSP violations and let build step fail (or soft fail) if new CSP violations are detected
4. On fail, save logfile as artifacts in GitLab

On a short term, this would catch possible new CSP violations for parts of TYPO3, that are currently covered by acceptance tests. On a long term, we could create new acceptance test scenarios for parts of TYPO3, that are not covered by acceptance tests.

Note: This is currently only an idea. I do not know, if we can extend the acceptance test setup as described, but in theory this should all be possible to implement.