| Anonymous | Login | Signup for a new account | 2013-05-25 06:08 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories |
| View Issue Details [ Jump to Notes ] [ Wiki ] [ Related Changesets ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0011825 | mantisbt | security | public | 2010-04-22 03:59 | 2012-09-03 04:31 | ||||
| Reporter | dhx | ||||||||
| Assigned To | dhx | ||||||||
| Priority | normal | Severity | feature | Reproducibility | N/A | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 1.2.0 | ||||||||
| Target Version | 1.2.1 | Fixed in Version | 1.2.1 | ||||||
| Summary | 0011825: Support X-Content-Security-Policy (CSP) | ||||||||
| Description | Background information on CSP: https://wiki.mozilla.org/Security/CSP/Design_Considerations [^] The specifications: https://wiki.mozilla.org/Security/CSP/Specification [^] This is a feature planned for Firefox 3.7. In other browsers that don't support X-Content-Security-Policy, this feature is ignored gracefully. Essentially it adds another layer of security against XSS, CSRF and clickjacking attacks. | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
|||||||||||||||||||||
|
|||||||||||||||||||||
 Relationships |
|
Notes |
|
| There are no notes attached to this issue. |
|
Notes |
| Related Changesets |
|||
|
MantisBT: master-1.2.x d2e05d3e
Timestamp: 2010-04-22 08:26:26 Author: dhx [ Details ] [ Diff ] |
Issue 0011825: Support X-Content-Security-Policy (CSP) Firefox 3.7 supports a new security mechanism called Content Security Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking attacks. We can ensure that MantisBT doesn't load any files (images, scripts, etc) from external domains by using CSP. The exception to this rule at the moment is the use of Gravatar for user avatar support in MantisBT. CSP also allows us to limit the domains which can include MantisBT within an iframe, helping prevent clickjacking attacks. At the moment we don't allow MantisBT to be included in any iframes from any domain. In the future we'll need to create a mechanism for plugins to notify MantisBT of other domains that are safe to load external data from. |
||
| mod - core/http_api.php | [ Diff ] [ File ] | ||
|
MantisBT: master 517cd271
Timestamp: 2010-04-22 08:26:26 Author: dhx [ Details ] [ Diff ] |
Issue 0011825: Support X-Content-Security-Policy (CSP) Firefox 3.7 supports a new security mechanism called Content Security Policy (CSP) that acts as a layer to prevent XSS, CSRF and clickjacking attacks. We can ensure that MantisBT doesn't load any files (images, scripts, etc) from external domains by using CSP. The exception to this rule at the moment is the use of Gravatar for user avatar support in MantisBT. CSP also allows us to limit the domains which can include MantisBT within an iframe, helping prevent clickjacking attacks. At the moment we don't allow MantisBT to be included in any iframes from any domain. In the future we'll need to create a mechanism for plugins to notify MantisBT of other domains that are safe to load external data from. |
||
| mod - core/http_api.php | [ Diff ] [ File ] | ||
| Related Changesets |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2010-04-22 03:59 | dhx | New Issue | |
| 2010-04-22 03:59 | dhx | Status | new => assigned |
| 2010-04-22 03:59 | dhx | Assigned To | => dhx |
| 2010-04-22 04:32 | dhx | Summary | Support X-Security-Content-Policy (CSP) => Support X-Content-Security-Policy (CSP) |
| 2010-04-22 04:32 | dhx | Description Updated | View Revisions |
| 2010-04-22 04:33 | dhx | Changeset attached | => MantisBT master-1.2.x d2e05d3e |
| 2010-04-22 04:33 | dhx | Changeset attached | => MantisBT master 517cd271 |
| 2010-04-22 04:33 | dhx | Status | assigned => resolved |
| 2010-04-22 04:33 | dhx | Fixed in Version | => 1.2.1 |
| 2010-04-22 04:33 | dhx | Resolution | open => fixed |
| 2010-04-22 04:37 | dhx | Relationship added | related to 0011826 |
| 2010-04-22 04:37 | dhx | Relationship added | related to 0011824 |
| 2010-04-23 14:30 | jreese | Status | resolved => closed |
| 2010-07-13 17:58 | dhx | Relationship added | related to 0012165 |
| 2012-09-03 04:31 | dregad | Issue cloned: 0014679 | |
| 2012-09-03 04:31 | dregad | Relationship added | related to 0014679 |
|
Issue History |
| MantisBT 1.2.16dev master-1.2.x-8c2bd07 [^]
Copyright © 2000 - 2013 MantisBT Team
Time: 0.0904 seconds. memory usage: 2,814 KB |
|