0017491: Avatars are not showing on Firefox - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0017491	mantisbt	ui	public	2014-07-06 20:25	2016-06-28 01:52

Reporter	syncguru	Assigned To	atrol
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	unable to reproduce
Product Version	1.3.0-beta.1

Summary	0017491: Avatars are not showing on Firefox
Description	Firefox 30.0 - View bug details where there are notes and avatars are enabled. You will notice that avatars are not displayed. If you try with Chrome or Safari, avatars will show just fine. This appears to be related to Firefox Content Security Policy which is configured by MantisBT. Since this security setting is only working with Firefox and largely ineffective with other browsers, I wonder why if it is better to avoid this one-off setting.
Tags	No tags attached.

dregad 2014-07-07 08:10 developer ~0040889	Works for me.

atrol 2014-07-08 03:22 developer ~0040898	I am able to reproduce the issue but have no time for further investigation at the moment. Tried current master on Ubuntu 12.04 Server Client Windows 8.1 IE11 works FF30 does not work

syncguru 2014-08-30 22:00 developer ~0041140	I am going to disable the FF security headers as part of the modern UI pull request. Once we find a work around for this, we can enable it back or just as discussed here remove it since it is only on FF.

dregad 2014-08-31 12:49 developer ~0041141	I don't think that disabling a security feature is a good idea. It would be better to spend the time to find out why CSP is breaking the gravatars, and fix that properly instead.

vboctor 2014-08-31 21:39 manager ~0041143	I wonder if there is value in a security feature that is ON 20% of the time (i.e. when user is using Firefox). http://en.wikipedia.org/wiki/Usage_share_of_web_browsers Any idea why loading avatars fails in case of the new UI, but the scenarios in the old UI where we loaded avatars didn't fail?

vboctor 2014-08-31 21:43 manager ~0041144	It seems that based on http://en.wikipedia.org/wiki/Content_Security_Policy there is a standard version of the header that is also supported by Chrome. If this is becoming a standard, then it makes sense for us to invest in keeping it. Paul has a pull request to move to the standard header rather than the Chrome specific one. https://github.com/mantisbt/mantisbt/pull/275

dregad 2014-09-04 04:36 developer ~0041166	Any idea why loading avatars fails in case of the new UI, but the scenarios in the old UI where we loaded avatars didn't fail? Not sure, I'd need to check... It's been a while since I last messed with CSP Paul has a pull request to move to the standard header rather than the Chrome specific one. I think this is what we should do indeed.

dregad 2014-09-05 19:28 developer ~0041182	I'm still not able to reproduce this on my dev box - avatars display just fine on FF31

atrol 2014-09-06 06:08 developer ~0041183	I am no longer able to reproduce it on FF31 and FF32 and current master Might have been a bug in FF30. +1 for replacing X-Content-Security-Policy by Content-Security-Policy

dregad 2014-09-08 05:34 developer ~0041186	Reminder sent to: syncguru Can you check whether you're still experiencing this behavior ? If not, I'd recommend to resolve this. If yes, please provide steps to reproduce it.

dregad 2014-09-23 02:53 developer ~0041295	@grangeway, why category security ? Just because CSP is involved, does not make this a security issue IMO

vboctor 2014-11-02 02:54 manager ~0041745	Changing category to 'ui' and assigning to @syncguru to validated based on latest master code. If still an issue, provide steps to reproduce. Also reduced severity since this shouldn't block at least beta version of 1.3.x.

syncguru 2014-11-02 11:21 developer ~0041751	This is still not working for me on either FF33 or Chrome. I am using Mac 10.9 Once I disable security headers, everything works just fine. I also noticed that when security is enabled, Firebug - the popular FF plugin - does not work any more on any mantisbt page.

atrol 2015-03-15 07:00 developer ~0049233	I am not able to reproduce it using FF36. Maybe the issue is fixed in new FF version, maybe it's fixed as we replaced X-Content-Security-Policy by Content-Security-Policy.

View Issue Details

Relationships

Activities

related to	0019501	closed	dregad	The progress bar in Roadmap is broken
related to	0020428	closed	atrol	CSP prevents loading from https://ajax.googleapis.com
related to	0021164	closed	syncguru	CSP headers are no longer sent when using current master branch