[TASK] Introduce Content-Security-Policy-Report-Only handling (13758d53) · Commits · TYPO3 / TYPO3.CMS

Commit 13758d53 authored 7 months ago by

Oliver Hader Committed by Oliver Hader 7 months ago

[TASK] Introduce Content-Security-Policy-Report-Only handling

+ new feature flag `security.frontend.reportContentSecurityPolicy`,
  to be used next to `security.frontend.enforceContentSecurityPolicy`,
  resulting in `Content-Security-Policy-Report-Only` and/or
  `Content-Security-Policy` HTTP headers
+ new `enforce` and `report` segments in `csp.yaml` site config
+ possibility to disable CSP for a particular site by either setting
  `active: false` in the `csp.yaml` site config
+ allows having the HTTP headers `Content-Security-Policy` and
  `Content-Security-Policy-Report-Only` side-by-side in the frontend

Resolves: #101580
Resolves: #104549
Releases: main, 12.4
Change-Id: I8c1a8305702629eac1bfedddbecbc19b452fd500
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/85632


Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Garvin Hicking <gh@faktor-e.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Garvin Hicking <gh@faktor-e.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>

parent 7c920f26

Branches