View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0019576 | mantisbt | security | public | 2015-04-05 12:39 | 2015-09-06 17:37 |
Reporter | dregad | Assigned To | dregad | ||
Priority | normal | Severity | text | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Target Version | 1.3.0-beta.3 | Fixed in Version | 1.3.0-beta.3 | ||
Summary | 0019576: Allow admins to disable Content Security Policy | ||||
Description | Content Security Policy may cause issues in certain situations (e.g. during development, or when using plugins relying on external resources such as images or scripts). Since we currently do not provide any mechanism for such plugins to notify MantisBT core of 'safe' external domains, we need to allow admins to disable CSP. | ||||
Tags | No tags attached. | ||||
related to | 0019307 | acknowledged | Possibility to report violations of the Content-Security-Policy |
Not sure if this is needed. |
|
Custom headers allows the admin to add additional headers, I am not sure that this config would allow them to disable or override a previously send header (assuming the custom headers are sent after the CSP one). Need to test. |
|
Just learned something new ;-) You were right, CSP can effectively be disabled by adding to config_inc.php I never realized this was possible. |
|
Resolving this by documenting usage of $g_custom_headers for this purpose, both in config_defaults_inc.php and in the Admin guide. |
|
MantisBT: master f26298d7 2015-04-05 15:29 Details Diff |
Document disabling of CSP via $g_custom_headers Fixes 0019576 |
Affected Issues 0019576 |
|
mod - config_defaults_inc.php | Diff File | ||
mod - docbook/Admin_Guide/en-US/config/security.xml | Diff File | ||
mod - docbook/Admin_Guide/en-US/config/webserver.xml | Diff File |