typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php · 13758d53870c9409f7e36ba5f6b6d01671b2b658 · TYPO3 / TYPO3.CMS

[TASK] Introduce Content-Security-Policy-Report-Only handling · 13758d53

Oliver Hader authored Aug 18, 2024

+ new feature flag `security.frontend.reportContentSecurityPolicy`,
  to be used next to `security.frontend.enforceContentSecurityPolicy`,
  resulting in `Content-Security-Policy-Report-Only` and/or
  `Content-Security-Policy` HTTP headers
+ new `enforce` and `report` segments in `csp.yaml` site config
+ possibility to disable CSP for a particular site by either setting
  `active: false` in the `csp.yaml` site config
+ allows having the HTTP headers `Content-Security-Policy` and
  `Content-Security-Policy-Report-Only` side-by-side in the frontend

Resolves: #101580
Resolves: #104549
Releases: main, 12.4
Change-Id: I8c1a8305702629eac1bfedddbecbc19b452fd500
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632


Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Garvin Hicking <gh@faktor-e.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Garvin Hicking <gh@faktor-e.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>

13758d53