typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php · 7b7a7a1cb771e6fbf199aaa4bb0db1330ac4c5bf · TYPO3 / TYPO3.CMS

[FEATURE] Introduce Content Security Policy headers · 7b7a7a1c

Oliver Hader authored 2 years ago

This change introduces various representations of the
Content-Security-Policy domain as PHP classes.

The PSR-15 middlewares `ContentSecurityPolicyHeaders` are applying
the corresponding HTTP headers to each response in the frontend and
backend scope - in case no other component already added a
`Content-Security-Policy` or `Content-Security-Policy-Report-Only`
header, and only if the corresponding feature flag is enabled:

+ `security.backend.enforceContentSecurityPolicy`
+ `security.frontend.enforceContentSecurityPolicy`

For new installations `security.backend.enforceContentSecurityPolicy`
is enabled via factory default settings.

Resolves: #100055
Related: #99499
Related: #97068
Releases: main
Change-Id: I355393738f1d578b612e0e041e87be643f9e389a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77997


Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>

7b7a7a1c

ContentSecurityPolicyHeaders.php 2.33 KiB