Content Security Policy

[mtrojan-ub]

contentsecuritypolicy.ini:

enabled[production] = false
enabled[development] = "report_only"

We should check the development environment whether there are more security-related errors/warnings in the console and fix them. As soon as everything is correct, we should set enabled[development] to true for a while and if there are no problems on the test servers we shoul also set the production setting to true.

Please note: frame-src[] = "'self'" might not have an effect on the servers right now unless the workaround in the apache configuration is also changed, we should test if this will change the behaviour, see also #1636

[mtrojan-ub]

Is now enabled for test servers, so we should run it there for a couple of days. If it's ok we should change the value for the production environment. Also we might change the manual apache config on the servers (security.conf) and check whether we can remove the X-Frame-options: "sameorigin" since this will be basically the same as the frame-src option in contentsecuritypolicy.ini.

When going live we must definitely make sure that scripts are still working (e.g. matomo).

[mtrojan-ub]

As discussed internally today => since there have been no problems on the test server yet we're at least going to set it to report_only for the live servers soon (but there will be no report-to set yet for tracking.)

[mtrojan-ub]

@LysogorAndGmail: It seems like the Albert Krebs Library Search is no longer working on sobek because the JS snippet related to rs:kreb is not generated via view helper (nonce is missing). Can you please fix that?

[mtrojan-ub]

@LysogorAndGmail: As discussed, please also check the ixtheo2 theme again (e.g. landing page, networking section with the custom map)