View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0014679mantisbtsecuritypublic2012-09-03 04:312015-07-07 16:48
Reporterdregad Assigned Todregad  
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Product Version1.2.1 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0014679: Support Content-Security-Policy (CSP) per W3C specification
Description

dhx originally implemented CSP following the Mozilla-proposed specification X-Content-Security-Policy [1] in 0011825.

Since then, the proposal has evolved into a W3C standard [2], which is still in DRAFT form but differs in some significant ways from the Mozilla original specification:

  • Standard header: "Content-Security-Policy" (renamed from "X-Content-Security-Policy")
  • "default-src" (instead of "allow")
  • new way of specifying options ('unsafe-inline' and 'unsafe eval')
  • "frame-src" (instead of frame-ancestors)
  • etc

MantisBT headers should be modified adhere to the new standard once it becomes final and is correctly implemented in major browsers (see Additional info below).

[1] https://wiki.mozilla.org/Security/CSP/Specification
[2] http://www.w3.org/TR/CSP/

Additional Information

With Firefox 15, the new standard is only partially implemented:

  • not yet using standard header
  • options 'unsafe-inline' and 'unsafe eval' do not work
  • still using proprietary equivalent "options inline-script eval-script" (currently implemented in MantisBT)
  • Header has been renamed from "X-Content-Security-Policy" to "Content-Security-Policy"

Adherence to the new standard is a work-in-progress at Mozilla:

TagsNo tags attached.

Relationships

related to 0011825 closeddhx Support X-Content-Security-Policy (CSP) 
related to 0019307 acknowledged Possibility to report violations of the Content-Security-Policy 

Activities

dregad

dregad

2013-10-17 10:49

developer   ~0038290

Last edited: 2013-10-17 10:53

The CSP 1.0 standard has been implemented in Firefox 23 [1] in June 2013; as per the blog post, it is also available in Chrome 25 and IE 10.

I tried to make the change in http api, but unfortunately there seems to be an issue with jQuery, triggering "Content Security Policy: Directive inline script base restriction violated" whenever it is included (tested with 1.9.1 and 1.10.2).

This error is reproducible with a simple test file (tested on FF 24) 



<?php header( "Content-Security-Policy: default-src 'self'" ); ?>

<script type="text/javascript" src="/mantis/javascript/jquery-1.9.1.min.js"></script>

Somebody else reported the same error [2]

Test branch: https://github.com/dregad/mantisbt/tree/csp-update

[1] https://blog.mozilla.org/security/2013/06/11/content-security-policy-1-0-lands-in-firefox/
[2] http://bugs.jquery.com/ticket/14422
dregad

dregad

2015-04-05 12:44

developer   ~0049324

This was actually implemented by grangeway in september 2014.

Related Changesets

MantisBT: master 91242cdb

2014-08-30 13:23

Paul Richards


Details Diff		 Fix Content-Security-Policy Headers

Firefox complains when accessing mantis 1.3 about the deprecated headers.

X-Content-Security-Policy is replaced by Content Security Policy		 Affected Issues
0014679
mod - core/http_api.php Diff File