Content security policy

Content security policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including cross-site scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.

According to TYPO3-PSA-2019-010 authenticated users - but not having administrator privileges - are allowed to upload files to their granted file mounts (e.g. fileadmin/ in most cases). This also includes the possibility to upload potential malicious code in HTML or SVG files (using JavaScript, injecting cross-site scripting vulnerabilities).

To mitigate these potential scenarios it is advised to either deny uploading files as described in TYPO3-PSA-2019-010 (which might be impractical for some sites) or add content security policy headers for these directories - basically all public available base directories of file storages (sys_file_storage).

The following example sends a corresponding CSP header for any file accessed via https://example.org/fileadmin/…:

# placed in fileadmin/.htaccess on Apache 2.x webserver
<IfModule mod_headers.c>
  Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
</IfModule>

For nginx webservers, the following configuration example can be used to send a CSP header for any file accessed via https://example.org/fileadmin/…:

map $request_uri $csp_header {
    ~^/fileadmin/      "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';";
}

server {
      # Add strict CSP header depending on mapping (fileadmin only)
      add_header Content-Security-Policy $csp_header;
      # ... other add_header declarations can follow here
}

The nginx example configuration uses a map, since top level add_header declarations will be overwritten if add_header is used in sublevels (e.g. location) declarations.

CSP rules can be verified with a CSP-Evaluator