View Issue Details

IDProjectCategoryView StatusLast Update
0012824mantisbtwebpagepublic2015-12-27 05:36
Reportercobexer Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformFirefox 4 
Product Versiongit trunk 
Summary0012824: mantisbt.org + CSP + FF4: lots of CSP violations + JavaScript errors
Description

visiting any mantisbt.org/bugs/ page results in lots of CSP violations and at least one JavaScript error:

_gat is not defined
var pageTracker = _gat._getTracker("UA-330112-6");

TagsNo tags attached.

Relationships

related to 0020428 closedatrol mantisbt CSP prevents loading from https://ajax.googleapis.com 

Activities

dhx

dhx

2011-02-28 16:44

reporter   ~0028322

This sounds like an issue with one or more plugins you are using with MantisBT. Can you please list which plugins you have installed? As of the latest version of mantisbt-1.3.x inline JavaScript is not permitted in plugin output.

cobexer

cobexer

2011-02-28 16:51

reporter   ~0028323

ähm you missed the http://mantisbt.org/bugs/ part in the summary

atrol

atrol

2011-02-28 17:13

developer   ~0028325

Last edited: 2011-02-28 17:14

I think it's caused by Google analytics (_gat) which seems to be included at www.mantisbt.org/bugs and something with gravatar embedding

atrol

atrol

2011-02-28 17:19

developer   ~0028326

Last edited: 2011-02-28 17:20

This is the warning you get:
<pre>
Warnung: CSP: Directive "img-src http://www.mantisbt.org https://secure.gravatar.com:443&quot; violated by http://www.gravatar.com/avatar.php?gravatar_id=73c62116c4c5b1c7c379affab8284f1d&amp;default=http%3A%2F%2Fwww.mantisbt.org%2Fbugs%2Fimages%2Fno_avatar.png&amp;size=80&amp;rating=G
</pre>

cobexer

cobexer

2011-02-28 17:41

reporter   ~0028328

and twitter too, seems to be configured in "paranoid" mode as it also affects image src attributes

CSP: Directive "img-src http://www.mantisbt.org https://secure.gravatar.com:443&quot; violated by http://a3.twimg.com/profile_images/341171736/twitterProfilePhoto_normal.jpg

However the HTTP header should exclude Gravatar:
x-content-security-policy allow 'self'; options inline-script eval-script; img-src 'self' https://secure.gravatar.com:443; frame-ancestors 'none'

reading that error message above again makes it clear, *.twimg.com should be white-listed too

and the wiki is affected too (http://www.mantisbt.org/wiki/doku.php?id=mantisbt:start):
CSP: Directive "img-src http://www.mantisbt.org https://secure.gravatar.com:443&quot; violated by https://www.paypal.com/en_AU/i/scr/pixel.gif
CSP: Directive "img-src http://www.mantisbt.org https://secure.gravatar.com:443&quot; violated by http://sourceforge.net/sflogo.php?group_id=14963
CSP: Directive "allow http://www.mantisbt.org&quot; violated by http://www.google-analytics.com/urchin.js

atrol

atrol

2013-04-27 18:37

developer   ~0036707

Removed assignment. dhx will not contribute to this issue in near future.

j_schultz

j_schultz

2014-12-07 11:34

reporter   ~0041987

CSP is still (or again) causing issues on mantisbt.org + Firefox here. The problem is that the CSS files are included from www.mantisbt.org, and they are not loadded when visiting the no-www version.

dregad

dregad

2014-12-07 17:38

developer   ~0041988

not loadded when visiting the no-www version

You mean, when accessing the tracker via http://mantisbt.org/bugs as opposed to http://www.mantisbt.org/bugs ?

j_schultz

j_schultz

2014-12-07 17:42

reporter   ~0041989

Exactly. Well, using your example link will not work as it does an automatic redirect, but if you visit a site that does not result in a redirect (e.g. https://mantisbt.org/bugs/view.php?id=12824 vs https://www.mantisbt.org/bugs/view.php?id=12824 the CSS will be missing.

dregad

dregad

2015-01-17 19:42

developer   ~0042188

I just implemented a tweak on mantisbt.org config which resolves the CSS issue with CSP, as reported by j_schultz in 0012824:0041987.

I don't see any more violations on the tracker, so I'm resolving this issue. Feel free to reopen it should you notice further problems.