Mantis Bug Tracker 1.2.1 includes initial support for X-Frame-Options and X-Content-Security-Policy. These two browser security features aim to protect users against clickjacking attacks. If you’re unfamiliar with clickjacking, this presentation by Paul Stone at Black Hat EU 2010 provides an introduction to the topic. Essentially these options prevent a MantisBT site from being embedded within an IFrame on another website.
X-Frame-Options is supported in the latest versions of Internet Explorer, Opera, Safari and Chrome. If you’re using Firefox, you’ll need to install the NoScript extension to gain support for X-Frame-Options. However, Firefox 3.7 (currently under development) will support a more advanced security system called Content Security Policy (CSP). Where X-Frame-Options lets you toggle framing between on and off states, CSP lets you define rules for which domains are allowed to frame your MantisBT installation. CSP goes beyond providing just clickjacking protection and will also block data (images, scripts, etc) that is hosted on a different domain. Again, rules can be configured to allow data to be loaded from external domains if necessary. This feature is useful as an added layer of security against cross site scripting (XSS) attacks as an attacker can no longer load scripts or data from malicious websites.
At the moment there is no configuration options within MantisBT to disable this new clickjacking protection. If you know what you’re doing and understand the clickjacking threat to your MantisBT installation you can disable or reconfigure the clickjacking protection within core/http_api.php. If you want to insert your MantisBT installation within an IFrame from a page on the same domain (for instance, bugs.yourname.com contains an IFrame which loads bugs.yourname.com/mantisbt/) then you will need to change the http_security_headers() function as follows:
header( 'X-Frame-Options: DENY' );
header( 'X-Frame-Options: SAMEORIGIN' );
header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'none'" );
header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors 'self'" );
If you’re wanting to load your MantisBT installation in an IFrame from a different domain then you’ll need to comment out (place two forward slashes in front of) this line:
header( 'X-Frame-Options: DENY' );
You’ll then also need to make the following change where somewhere.yourdomain.com is the domain containing the page which loads MantisBT within an IFrame:
header( "X-Content-Security-Policy: allow 'self'; options inline-script eval-script$t_avatar_img_allow; frame-ancestors somewhere.yourdomain.com " );
As mentioned earlier, CSP also restricts the domains from which you can load external content from (images, scripts, etc). If you’ve written any custom plugins for MantisBT that load data in the browser from different domains (and if your users are using Firefox 3.7 beta) then you’ll need to read the CSP specifications and add the required headers within the http_security_headers() function within http_api.php.
The addition of these clickjacking prevention measures to MantisBT 1.2.1 helps keep your MantisBT installation secure against the “latest” (clickjacking has been around for years already) web application attacks. We hope to enhance this protection in future versions of MantisBT as these experimental browser clickjacking specifications are further developed. MantisBT 1.2.0 includes robust cross site request forgery (CSRF) protection and many improvements to preventing cross site scripting (XSS) attacks (including cookie protection with the HttpOnly flag). If you’re still using MantisBT 1.1.8 or an earlier version you are strongly encouraged to upgrade to MantisBT 1.2.1 to ensure that your bug tracker(s) are properly secured.