View Issue Details

IDProjectCategoryView StatusLast Update
0012165mantisbtsecuritypublic2014-01-23 17:54
ReporterneilcAssigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version1.2.0 
Target VersionFixed in Version 
Summary0012165: Allow mantis to be loaded in an iframe
Description

Currently the mantis security policy does not allow mantis to be loaded inside an iframe (by browsers that support this feature). It would be nice to have a config option to disable this behaviour or to allow particular domains/URLs to load mantis in an iframe.

Additional Information

For now, editing http_security_headers() in http_api.php is the only way to make this work.

TagsNo tags attached.

Relationships

related to 0011824 closeddhx Implement X-Frame-Options clickjacking protection 
related to 0011825 closeddhx Support X-Content-Security-Policy (CSP) 
has duplicate 0013129 closedatrol firefox 3.5 and later cannot handle mantis put into a frame 
has duplicate 0015724 closedatrol Allow administrators to customize X-Frame-Options header 

Activities

dhx

dhx

2010-07-13 17:59

reporter   ~0026073

Reference for manually editing http_api.php: http://www.mantisbt.org/blog/?p=102

rombert

rombert

2013-04-07 11:22

developer   ~0036534

Users actually need to do this for valid use cases, see http://stackoverflow.com/questions/15813325/squash-tm-bugtracker-in-frame/15815825 . I think that it's not such a large change and can be targeted to 1.2.x. If you disagree feel free to move back to 1.3.x, as this is not my area of expertise.

dregad

dregad

2013-04-09 18:36

developer   ~0036558

I just think that, in light of current discussion on the mailing list, we should probably avoid putting anything new in scope for 1.2.x, at least we reach a decision in a few days (hopefully ;)

rombert

rombert

2013-04-10 02:59

developer   ~0036560

I'm not going to push anything to 1.2.x until we have a way to go forward with the next versions.

atrol

atrol

2013-04-27 18:26

developer   ~0036699

Removed assignment. dhx will not contribute to this issue in near future.

Issue History

Date Modified Username Field Change
2010-07-13 11:08 neilc New Issue
2010-07-13 17:58 dhx Relationship added related to 0011824
2010-07-13 17:58 dhx Relationship added related to 0011825
2010-07-13 17:59 dhx Assigned To => dhx
2010-07-13 17:59 dhx Status new => assigned
2010-07-13 17:59 dhx Note Added: 0026073
2010-07-13 17:59 dhx Target Version => 1.3.0-beta.1
2011-07-08 03:13 atrol Relationship added has duplicate 0013129
2013-04-07 11:19 atrol Relationship added has duplicate 0015724
2013-04-07 11:22 rombert Note Added: 0036534
2013-04-07 11:22 rombert Target Version 1.3.0-beta.1 => 1.2.15
2013-04-09 18:36 dregad Note Added: 0036558
2013-04-10 02:59 rombert Note Added: 0036560
2013-04-12 09:57 dregad Target Version 1.2.15 => 1.2.16
2013-04-27 18:26 atrol Note Added: 0036699
2013-04-27 18:26 atrol Assigned To dhx =>
2013-04-27 18:26 atrol Status assigned => acknowledged
2014-01-23 17:54 atrol Target Version 1.2.16 =>