[TYPO3-dev] protecting TYPO3 against cross-site scripting and click-jacking attacks ?
Jigal van Hemert
jigal at xs4all.nl
Sun Apr 17 20:28:59 CEST 2011
Hi,
On 17-4-2011 19:09, Helmut Hummel wrote:
> Integration of CSP for 4.6 would be nice, but also not very easy.
CSP headers seem very easy to implement, although we have to give some
thought to sensible default settings.
I can imagine a configuration like:
config {
XContentSecurityPolicy {
allow = 'self' *.example.org
options = inline-script eval-script
img-src = *
media-src = *
script-src = *.example.com
object-src = 'none'
frame-src =
font-src =
xhr-src =
frame-ancestors =
style-src =
report-uri =
policy-uri =
}
}
(not a list of good defaults, but more a list of possibilities)
It's quite easy to convert this to the appropriate header.
A nice extra would be to have a processor for the reports that could add
them to a log.
--
Kind regards / met vriendelijke groet,
Jigal van Hemert.
More information about the TYPO3-dev
mailing list