Important: #101580 - Introduce Content-Security-Policy-Report-Only handling

See forge#101580

Description

The feature flag security.frontend.reportContentSecurityPolicy ( $GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.reportContentSecurityPolicy'] ) can be used to apply the Content-Security-Policy-Report-Only HTTP header for frontend responses.

When both feature flags are activated, both headers are sent. You can deactivate one disposition in the site-specific configuration.

This allows to test and assess the potential impact on introducing Content-Security-Policy in the frontend - without actually blocking any functionality.

This behavior can be controlled on a site-specific scope as well, see Important: #104549 - Introduce site-specific Content-Security-Policy-Disposition.