Extension must support Content-Security-Policy

[josefglatz]

As for now, the implementation of the SCRIPT tags are added to the source code not via the right TYPO3 API way page.headerData.1234.

On top of that, it's on purpose by the TYPO3 core team, that ways like page.jsInline and others (or the way by e.g using page.headerData.1234 = TEXT adding "something" to the HEAD of the source code will not support nonce values.

The propertyuseNonce does not exist forTEXT cObjects… adding it tojsInline would be too generic.

Thus, currently the best choice probably is to use a FluidTemplate or some own custom cObject or UserFunc to trigger either AssetRenderer or PageRenderer. When I had to decide, I would go for AssetRenderer (AssetCollector)

[helmutstrasser]

The Asset Renderer is no option. I tested this and it is indeed a perfect way to inject the nonce into the tag. But, it looks like the browser respectively the CSP has a problem with the type "application/supi" and blocks the script completely, denying the nonce. Removing the type makes the nonce working.
What did the trick was to implement a hash. But it looks like we have to reconsider using the type to "deactivate" the inline script.

[josefglatz]

As discussed in our internal meeting:

• cObject SUPI_JS as solution already developed in main
• documentation for the new cObject by @garfieldius
• release of 7.x with an updated changeLog where an integrator sees breaking changes like it's in ext:news docs.