TYPO3/Improve security/en

Protect against cross site scripting (XSS)
Modern browsers can be told to prevent execution of injected Javascript by an attacker. The technique is called "Content Security Policy" and can be activated by sending appropriate HTTP headers. Within TYPO3 this can be configured with a single TypoScript statement:

config.additionalHeaders = Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' | X-Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' | X-Webkit-CSP: default-src 'self'; style-src 'self' 'unsafe-inline'

This must be a single line in the configuration template which should be part of the root page. It tells the browser to allow only content (Javascript, CSS, images, etc.) from your own server and also inline CSS declarations (necessary for displaying the product pictures as scalable background).

Note: If you are using a different domain for serving static content, you have to add this domain to the "default-src" and "style-src" statement (without apostrophes in this case).