CSP in documentation

[heural]

Hi Aimeos-Team,

is the docu for setting header in Typo3 for Content-Secuirty-Policy a alternate syntax or wrong?
https://aimeos.org/docs/2024.x/typo3/optimize/

The Typo3-docu says here this is a indexed array not a single string for that:
https://docs.typo3.org/m/typo3/referenc ... nalheaders

I think that

Code: Select all

config.additionalHeaders = Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
  | X-Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
  | X-Webkit-CSP: default-src 'self'; style-src 'self' 'unsafe-inline'

has no effect and therefore no CSP-headers are send.

I changed to the array-like style and now many of our external scripts and images (e.g. src ="data:") are blocked by browsers and should the expected behavior for CSP blocking.

So I think it should be:

Code: Select all

config.additionalHeaders {
  110.header = Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
  120.header = X-Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
  130.header =  X-Webkit-CSP: default-src 'self'; style-src 'self' 'unsafe-inline'
}

Thank you!

[aimeos]

The browser specific headers shouldn't be necessary any more. Does that also work?

Code: Select all

config.additionalHeaders {
  110 = Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
}