0019576 seems to solve the problem,
But that effectively disables CSP al together which seems a bit drastic.

In config_inc.php
$g_custom_headers = array( 'Content-Security-Policy:' );

DokuWiki integration is used on this tracker, and I have never noticed issues related to CSP.

Can you be more explicit about what the problem is, the errors you're getting, etc. Information about your setup / config may also be useful.

DokuWiki integration is used on this tracker, and I have never noticed issues related to CSP.

Maybe no obvious issues, but errors in browser console like the following one, e.g. when opening http://www.mantisbt.org/wiki/doku.php?id=mantisbt:issue:23635

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf self blockiert ("script-src https://cdnjs.cloudflare.com http://www.mantisbt.org http://ajax.googleapis.com http://maxcdn.bootstrapcdn.com http://cdnjs.cloudflare.com"). Source: (function(H){H.className=H.className.rep....

I was referring to other errors.

See also http://www.mantisbt.org/forums/viewtopic.php?f=3&t=25114

I expect that the problem lies in some of the extensions used on DokuWiki ( like IndexMenu plugin ).
We would not show the errors to our customers ( they will be ask us all kind of questions about it ;-(

What is an effective way to disable CSP for DokuWiki? But not for MantisBT )

No time to have a deeper look and to try myself, just a guess.
@dregad, maybe we need some extension to function http_security_headers()
Something like

if( config_get_global( 'wiki_enable' ) == ON) {
    $t_url = config_get_global( 'wiki_engine_url' );
    http_csp_add( 'style-src', "$t_url" );
    http_csp_add( 'script-src', "$t_url" );
    http_csp_add( 'img-src', "$t_url" );
}

Thanks @atrol. I can reproduce the behavior.

The DokuWiki integration has 2 parts:

• Mantis -> DokuWiki
• DokuWiki -> Mantis

I believe the problem is with the second case, more specifically the single sign-on integration, because it basically works by requiring core.php and calling several Mantis APIs (see https://mantisbt.org/wiki/doku.php/mantisbt:issue:8253#authentication_single_sign-on).

@TomR, which version of DokuWiki are you using, and do you have any particular plugins ?

Hi @dregad,

I use Release 2017-02-19e "Frusterick Manners"

And have indeed a lot of plugins.
And i guess that for sure plugin Indexmenu plugin is giving the CSP errors.

However I also found out there is a CSPHeader plugin.
I installed it, and configured it, and now the CSP errors are gone.
Only problem is that I am not into CSP, so I do not know if i disabled CSP totally which is not recommended.

@TomR with the plugins I use, I found it sufficient to change the following settings:

• plugin»cspheader»enableHeader - checked
• plugin»cspheader»allowValue - 'self'
• All other options unchecked or blank

I strongly recommend not to check optionsEval, andoptionsInline if you can avoid it - this is where the biggest security risk resides.

Resolving this issue, since a working solution exists with the DokuWiki cspheaders plugin. Note that despite the warning, the plugin works just fine with the latest version of DokuWiki (2017-02-19e "Frusterick Manners" as of this writing).

Refer to my earlier note 0023635:0058657 for minimal settings to fix the problem.

For the record, the cspheader plugin has been updated so there is no longer a warning, and the authmantis plugin's setup page now includes recommended CSP configuration.