DEPRECATION WARNING

This documentation is not using the current rendering mechanism and is probably outdated. The extension maintainer should switch to the new system. Details on how to use the rendering mechanism can be found here.

Main settings

Properties inside plugin.tx_csp.settings

Presets

Presets are predefined content security policy settings for a given concrete use case. For instance: Google maps, Google Analytics, YouTube and so on...

There are some presets delivered with the extension:

  • Google maps
  • Google Analytics
  • YouTube
  • Vimeo
  • Google fonts
  • jQuery
  • TypeKit

There are constants to change the predefined hosts if necessary but these are more as examples as hard coded rules.

Note

Since TYPO3 supports Vimeo and YouTube videos through the media element. These two are enabled by default, the others are deactivated.

Property

presets.<preset_name>.enabled

Data type

boolean

Description

You can enable or disable a preset.

Example

plugin.tx_csp.settings.presets.jQuery.enabled = 0

Property

presets.<preset_name>.rules.<directive>

Data type

string

Description

With the option rules you can set multiple directive values added to the content security policy header. Possible values for directive: default,font,frame,img,media,object,script,style Complete list with browser support: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Browser_compatibility Value is a space separated string of hosts.

Example

plugin.tx_csp.settings.presets.jQuery.rules.style = fonts.googleapis.com fonts.gstatic.com

Examples

plugin.tx_csp.settings.presets {
    googleFonts {
        enabled = 0
        rules {
            style = fonts.googleapis.com fonts.gstatic.com
            font = fonts.googleapis.com fonts.gstatic.com
        }
    }

    jQuery {
        enabled = 1
        rules {
            script = ajax.googleapis.com
        }
    }
}

Additional domains

Property

additionalSources.<directive>.<index>

Data type

string

Description

General sources set for the whole website. Possible values are domains (ajax.googleapis.com) or the following values self => (the website itself, it is already set for the most common directives) unsafe-inline => Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to) and javascript: URIs unsafe-eval => Allows unsafe dynamic code evaluation such as JavaScript eval() none => Prevents loading resources from any source. See the full list: https://content-security-policy.com/#source_list

Reporting

Property

reportOnly

Data type

boolean

Description

If this option set, then instead of the normal Content-Security-Policy Header the Content-Security-Policy-Report-Only header will be sent with a report-uri directive. This is very useful to test the settings. If reportOnly mode set, then any violation will be only listed on the browser's console and sent to an endpoint as a report. Default fallback (if report-uri not set) is /typo3conf/ext/csp/Resources/Public/report.php. The script will write the browser reports in a file (csp-violations.log) in the typo3temp/logs/ (v7) or typo3temp/var/logs/ (v8).

Property

report-uri

Data type

string

Description

An endpoint for the browser reports. It has a default if reportOnly set. (you can use it for an example for own implementation) Report-uri can be used without the ReportOnly, in this case the validations will be blocked but also reported.