View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017491 | mantisbt | ui | public | 2014-07-06 20:25 | 2016-06-28 01:52 |
Reporter | syncguru | Assigned To | atrol | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | unable to reproduce | ||
Product Version | 1.3.0-beta.1 | ||||
Summary | 0017491: Avatars are not showing on Firefox | ||||
Description | Firefox 30.0 - View bug details where there are notes and avatars are enabled. You will notice that avatars are not displayed. If you try with Chrome or Safari, avatars will show just fine. This appears to be related to Firefox Content Security Policy which is configured by MantisBT. Since this security setting is only working with Firefox and largely ineffective with other browsers, I wonder why if it is better to avoid this one-off setting. | ||||
Tags | No tags attached. | ||||
Works for me. |
|
I am able to reproduce the issue but have no time for further investigation at the moment. Tried current master on Ubuntu 12.04 Server |
|
I am going to disable the FF security headers as part of the modern UI pull request. Once we find a work around for this, we can enable it back or just as discussed here remove it since it is only on FF. |
|
I don't think that disabling a security feature is a good idea. It would be better to spend the time to find out why CSP is breaking the gravatars, and fix that properly instead. |
|
I wonder if there is value in a security feature that is ON 20% of the time (i.e. when user is using Firefox). http://en.wikipedia.org/wiki/Usage_share_of_web_browsers Any idea why loading avatars fails in case of the new UI, but the scenarios in the old UI where we loaded avatars didn't fail? |
|
It seems that based on http://en.wikipedia.org/wiki/Content_Security_Policy there is a standard version of the header that is also supported by Chrome. If this is becoming a standard, then it makes sense for us to invest in keeping it. Paul has a pull request to move to the standard header rather than the Chrome specific one. |
|
Not sure, I'd need to check... It's been a while since I last messed with CSP
I think this is what we should do indeed. |
|
I'm still not able to reproduce this on my dev box - avatars display just fine on FF31 |
|
I am no longer able to reproduce it on FF31 and FF32 and current master +1 for replacing X-Content-Security-Policy by Content-Security-Policy |
|
Reminder sent to: syncguru Can you check whether you're still experiencing this behavior ? If not, I'd recommend to resolve this. If yes, please provide steps to reproduce it. |
|
@grangeway, why category security ? Just because CSP is involved, does not make this a security issue IMO |
|
Changing category to 'ui' and assigning to @syncguru to validated based on latest master code. If still an issue, provide steps to reproduce. Also reduced severity since this shouldn't block at least beta version of 1.3.x. |
|
This is still not working for me on either FF33 or Chrome. I am using Mac 10.9 I also noticed that when security is enabled, Firebug - the popular FF plugin - does not work any more on any mantisbt page. |
|
I am not able to reproduce it using FF36. |
|