View Issue Details

IDProjectCategoryView StatusLast Update
0012165mantisbtsecuritypublic2014-01-23 17:54
Reporterneilc Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version1.2.0 
Summary0012165: Allow mantis to be loaded in an iframe
Description

Currently the mantis security policy does not allow mantis to be loaded inside an iframe (by browsers that support this feature). It would be nice to have a config option to disable this behaviour or to allow particular domains/URLs to load mantis in an iframe.

Additional Information

For now, editing http_security_headers() in http_api.php is the only way to make this work.

TagsNo tags attached.

Relationships

related to 0011824 closeddhx Implement X-Frame-Options clickjacking protection 
related to 0011825 closeddhx Support X-Content-Security-Policy (CSP) 
has duplicate 0013129 closedatrol firefox 3.5 and later cannot handle mantis put into a frame 
has duplicate 0015724 closedatrol Allow administrators to customize X-Frame-Options header 

Activities

dhx

dhx

2010-07-13 17:59

reporter   ~0026073

Reference for manually editing http_api.php: http://www.mantisbt.org/blog/?p=102

rombert

rombert

2013-04-07 11:22

reporter   ~0036534

Users actually need to do this for valid use cases, see http://stackoverflow.com/questions/15813325/squash-tm-bugtracker-in-frame/15815825 . I think that it's not such a large change and can be targeted to 1.2.x. If you disagree feel free to move back to 1.3.x, as this is not my area of expertise.

dregad

dregad

2013-04-09 18:36

developer   ~0036558

I just think that, in light of current discussion on the mailing list, we should probably avoid putting anything new in scope for 1.2.x, at least we reach a decision in a few days (hopefully ;)

rombert

rombert

2013-04-10 02:59

reporter   ~0036560

I'm not going to push anything to 1.2.x until we have a way to go forward with the next versions.

atrol

atrol

2013-04-27 18:26

developer   ~0036699

Removed assignment. dhx will not contribute to this issue in near future.