View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0011825 | mantisbt | security | public | 2010-04-22 03:59 | 2012-09-03 04:31 |
| Reporter | dhx | Assigned To | dhx | ||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | closed | Resolution | fixed | ||
| Product Version | 1.2.0 | ||||
| Target Version | 1.2.1 | Fixed in Version | 1.2.1 | ||
| Summary | 0011825: Support X-Content-Security-Policy (CSP) | ||||
| Description | Background information on CSP: The specifications: This is a feature planned for Firefox 3.7. In other browsers that don't support X-Content-Security-Policy, this feature is ignored gracefully. Essentially it adds another layer of security against XSS, CSRF and clickjacking attacks. | ||||
| Tags | No tags attached. | ||||
| related to | 0011824 | closed | dhx | Implement X-Frame-Options clickjacking protection |
| related to | 0011826 | closed | dhx | Remove all inline JavaScript from MantisBT (use external scripts instead) |
| related to | 0012165 | acknowledged | Allow mantis to be loaded in an iframe | |
| related to | 0014679 | closed | dregad | Support Content-Security-Policy (CSP) per W3C specification |
|
MantisBT: master-1.2.x d2e05d3e 2010-04-22 04:26 Details Diff |
Issue 0011825: Support X-Content-Security-Policy (CSP) Firefox 3.7 supports a new security mechanism called Content Security Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking attacks. We can ensure that MantisBT doesn't load any files (images, scripts, etc) from external domains by using CSP. The exception to this rule at the moment is the use of Gravatar for user avatar support in MantisBT. CSP also allows us to limit the domains which can include MantisBT within an iframe, helping prevent clickjacking attacks. At the moment we don't allow MantisBT to be included in any iframes from any domain. In the future we'll need to create a mechanism for plugins to notify MantisBT of other domains that are safe to load external data from. |
Affected Issues 0011825 |
|
| mod - core/http_api.php | Diff File | ||
|
MantisBT: master 517cd271 2010-04-22 04:26 Details Diff |
Issue 0011825: Support X-Content-Security-Policy (CSP) Firefox 3.7 supports a new security mechanism called Content Security Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking attacks. We can ensure that MantisBT doesn't load any files (images, scripts, etc) from external domains by using CSP. The exception to this rule at the moment is the use of Gravatar for user avatar support in MantisBT. CSP also allows us to limit the domains which can include MantisBT within an iframe, helping prevent clickjacking attacks. At the moment we don't allow MantisBT to be included in any iframes from any domain. In the future we'll need to create a mechanism for plugins to notify MantisBT of other domains that are safe to load external data from. |
Affected Issues 0011825 |
|
| mod - core/http_api.php | Diff File | ||
