[TYPO3-dev] protecting TYPO3 against cross-site scripting and click-jacking attacks ?
Helmut Hummel
helmut.hummel at typo3.org
Wed Apr 20 09:33:26 CEST 2011
Hi,
On 17.04.11 20:28, Jigal van Hemert wrote:
> On 17-4-2011 19:09, Helmut Hummel wrote:
>> Integration of CSP for 4.6 would be nice, but also not very easy.
>
> CSP headers seem very easy to implement,
Sending the headers is of course easy.
> although we have to give some
> thought to sensible default settings.
That is the difficult part, especially, when taking the whole backend
stuff (JavaScript) into account. Especially when not allowing inline JS
to be executed (which is what absolutely makes sense).
> I can imagine a configuration like:
> config {
> XContentSecurityPolicy {
> allow = 'self' *.example.org
> options = inline-script eval-script
> img-src = *
> media-src = *
> script-src = *.example.com
> object-src = 'none'
> frame-src =
> font-src =
> xhr-src =
> frame-ancestors =
> style-src =
> report-uri =
> policy-uri =
> }
> }
> (not a list of good defaults, but more a list of possibilities)
> It's quite easy to convert this to the appropriate header.
The example looks good.
> A nice extra would be to have a processor for the reports that could add
> them to a log.
Yes, would be nice.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-dev
mailing list