View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012824 | mantisbt | webpage | public | 2011-02-28 14:00 | 2015-12-27 05:36 |
Reporter | cobexer | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Firefox 4 | ||||
Product Version | git trunk | ||||
Summary | 0012824: mantisbt.org + CSP + FF4: lots of CSP violations + JavaScript errors | ||||
Description | visiting any mantisbt.org/bugs/ page results in lots of CSP violations and at least one JavaScript error: _gat is not defined | ||||
Tags | No tags attached. | ||||
related to | 0020428 | closed | atrol | mantisbt | CSP prevents loading from https://ajax.googleapis.com |
This sounds like an issue with one or more plugins you are using with MantisBT. Can you please list which plugins you have installed? As of the latest version of mantisbt-1.3.x inline JavaScript is not permitted in plugin output. |
|
ähm you missed the http://mantisbt.org/bugs/ part in the summary |
|
I think it's caused by Google analytics (_gat) which seems to be included at www.mantisbt.org/bugs and something with gravatar embedding |
|
This is the warning you get: |
|
and twitter too, seems to be configured in "paranoid" mode as it also affects image src attributes CSP: Directive "img-src http://www.mantisbt.org https://secure.gravatar.com:443" violated by http://a3.twimg.com/profile_images/341171736/twitterProfilePhoto_normal.jpg However the HTTP header should exclude Gravatar: reading that error message above again makes it clear, *.twimg.com should be white-listed too and the wiki is affected too (http://www.mantisbt.org/wiki/doku.php?id=mantisbt:start): |
|
Removed assignment. dhx will not contribute to this issue in near future. |
|
CSP is still (or again) causing issues on mantisbt.org + Firefox here. The problem is that the CSS files are included from www.mantisbt.org, and they are not loadded when visiting the no-www version. |
|
You mean, when accessing the tracker via http://mantisbt.org/bugs as opposed to http://www.mantisbt.org/bugs ? |
|
Exactly. Well, using your example link will not work as it does an automatic redirect, but if you visit a site that does not result in a redirect (e.g. https://mantisbt.org/bugs/view.php?id=12824 vs https://www.mantisbt.org/bugs/view.php?id=12824 the CSS will be missing. |
|
I just implemented a tweak on mantisbt.org config which resolves the CSS issue with CSP, as reported by j_schultz in 0012824:0041987. I don't see any more violations on the tracker, so I'm resolving this issue. Feel free to reopen it should you notice further problems. |
|