View Issue Details

IDProjectCategoryView StatusLast Update
0019576mantisbtsecuritypublic2015-09-06 17:37
ReporterdregadAssigned Todregad 
PrioritynormalSeveritytextReproducibilityhave not tried
Status closedResolutionfixed 
Product Version 
Target Version1.3.0-beta.3Fixed in Version1.3.0-beta.3 
Summary0019576: Allow admins to disable Content Security Policy
Description

Content Security Policy may cause issues in certain situations (e.g. during development, or when using plugins relying on external resources such as images or scripts).

Since we currently do not provide any mechanism for such plugins to notify MantisBT core of 'safe' external domains, we need to allow admins to disable CSP.

TagsNo tags attached.

Relationships

related to 0019307 acknowledged Possibility to report violations of the Content-Security-Policy 

Activities

atrol

atrol

2015-04-05 12:47

developer   ~0049325

Not sure if this is needed.
There is a configuration option $g_custom_headers

dregad

dregad

2015-04-05 12:52

developer   ~0049326

Custom headers allows the admin to add additional headers, I am not sure that this config would allow them to disable or override a previously send header (assuming the custom headers are sent after the CSP one). Need to test.

dregad

dregad

2015-04-05 17:54

developer   ~0049327

Just learned something new ;-)

You were right, CSP can effectively be disabled by adding to config_inc.php
$g_custom_headers = array( 'Content-Security-Policy:' );

I never realized this was possible.

dregad

dregad

2015-04-05 19:34

developer   ~0049328

Resolving this by documenting usage of $g_custom_headers for this purpose, both in config_defaults_inc.php and in the Admin guide.

Related Changesets

MantisBT: master f26298d7

2015-04-05 19:29:45

dregad

Details Diff
Document disabling of CSP via $g_custom_headers

Fixes 0019576
mod - config_defaults_inc.php Diff File
mod - docbook/Admin_Guide/en-US/config/security.xml Diff File
mod - docbook/Admin_Guide/en-US/config/webserver.xml Diff File

Issue History

Date Modified Username Field Change
2015-04-05 12:39 dregad New Issue
2015-04-05 12:39 dregad Status new => assigned
2015-04-05 12:39 dregad Assigned To => dregad
2015-04-05 12:42 dregad Relationship added related to 0019307
2015-04-05 12:47 atrol Note Added: 0049325
2015-04-05 12:52 dregad Note Added: 0049326
2015-04-05 17:54 dregad Note Added: 0049327
2015-04-05 19:34 dregad Severity feature => text
2015-04-05 19:34 dregad Note Added: 0049328
2015-04-05 19:35 dregad Changeset attached => MantisBT master f26298d7
2015-04-05 19:35 dregad Status assigned => resolved
2015-04-05 19:35 dregad Resolution open => fixed
2015-04-05 19:35 dregad Fixed in Version => 1.3.0-beta.3
2015-09-06 17:37 vboctoradmin Status resolved => closed