[TYPO3-dev] protecting TYPO3 against cross-site scripting and click-jacking attacks ?

Jigal van Hemert jigal at xs4all.nl
Sun Apr 17 20:28:59 CEST 2011


Hi,

On 17-4-2011 19:09, Helmut Hummel wrote:
> Integration of CSP for 4.6 would be nice, but also not very easy.

CSP headers seem very easy to implement, although we have to give some 
thought to sensible default settings.

I can imagine a configuration like:
config {
	XContentSecurityPolicy {
		allow = 'self' *.example.org
		options = inline-script eval-script
		img-src = *
		media-src = *
		script-src = *.example.com
		object-src = 'none'
		frame-src =
		font-src =
		xhr-src =
		frame-ancestors =
		style-src =
		report-uri =
		policy-uri =
	}
}
(not a list of good defaults, but more a list of possibilities)
It's quite easy to convert this to the appropriate header.

A nice extra would be to have a processor for the reports that could add 
them to a log.

-- 
Kind regards / met vriendelijke groet,

Jigal van Hemert.




More information about the TYPO3-dev mailing list