Progress towards fully implementing X-Content-Security-Policy

MantisBT 1.2.1 introduced anti-clickjacking features in the form of both X-Content-Security Policy and X-Frame-Options HTTP headers. SHODAN is a search engine that allows the searching of HTTP server fingerprints obtained from internet facing hosts. If we search for X-Frame-Options in SHODAN’s database, just over 7000 results are returned. Performing the same check for the X-Content-Security-Policy header returns just over 90 results. Interestingly, the great majority of search results for X-Content-Security-Policy are MantisBT installations. It therefore appears that other web applications (and websites) have yet to implement X-Content-Security-Policy in readiness for the stable release of Firefox 4.

As Firefox 4 has been pushed back to early 2011 we have more time to finish off the implementation of X-Content-Security-Policy within MantisBT. A fair amount of progress has already been achieved towards removing inline JavaScript from within MantisBT pages. Once this process is complete we can switch on CSP’s ability to block inline JavaScript from being executed. This will severely limit the impact of XSS vulnerabilities on MantisBT. At the same time there is also a push towards reimplementing the output handling of MantisBT to use a templating system that automatically escapes user supplied data before printing it into HTML output. This approach would help prevent mistakes from occurring, especially with respect to third party plugins that may not undergo as much scrutiny as the MantisBT core.