CSP: enforceContentSecurityPolicy false :CSP error in frontend

Hi, working on typo3 v12.4.11, CSP error in frontend "Settings of Page blocked loading of external Javascript-Source.

Doesn’t work

  • by default enforceContentSecurityPolicy = false.

  • Checked multiple browsers, error the same

  • htaccess has no CSP Restrictions

  • tested with enforceContentSecurityPolicy = true

  • Script is loaded via Viewhelper using Assetcontroller → addJavascript

  • added useNonce as option

  • added Configurarion/ContentSecurityPolicy.php

Source: Content security policy — TYPO3 Explained 12.4 documentation


  • Adding page.config.additionalHeaders.10.header with CSP script-src and removing Configurarion/ContentSecurityPolicy.php

Tested downgrade because of Bug #102438: CSP-Errors after update to 12.4.8 - TYPO3 Core - TYPO3 Forge


  1. Why does the CSP error can occurs, if enforceContentSecurityPolicy =false
  2. Why does Typoscript additional Header works. Not in documentation. Project ingtegrations the “mutations” shall be used
  3. Any ideas?

That is weird and should not happen. You’re sure you turned the frontend setting to false and not the backend?

It is allowed to have multiple Content-Security-Policy headers, although I would not recommend it, because this can result in unwanted effects. For instance:

add_header Content-Security-Policy "default-src 'self'";
add_header Content-Security-Policy "connect-src 'self' https://api.example.com";

default-src is restrictive and connect-src allows wider permissions, so only default-src is used.

With additionalHeaders it was always possible to add the Content-Security-Policy header.

Yes, i’m sure.
Use security.frontend.enforceContentSecurityPolicy.