View Issue Details

IDProjectCategoryView StatusLast Update
0019576mantisbtsecuritypublic2015-09-06 17:37
Reporterdregad Assigned Todregad  
PrioritynormalSeveritytextReproducibilityhave not tried
Status closedResolutionfixed 
Target Version1.3.0-beta.3Fixed in Version1.3.0-beta.3 
Summary0019576: Allow admins to disable Content Security Policy
Description

Content Security Policy may cause issues in certain situations (e.g. during development, or when using plugins relying on external resources such as images or scripts).

Since we currently do not provide any mechanism for such plugins to notify MantisBT core of 'safe' external domains, we need to allow admins to disable CSP.

TagsNo tags attached.

Relationships

related to 0019307 acknowledged Possibility to report violations of the Content-Security-Policy 

Activities

atrol

atrol

2015-04-05 12:47

developer   ~0049325

Not sure if this is needed.
There is a configuration option $g_custom_headers

dregad

dregad

2015-04-05 12:52

developer   ~0049326

Custom headers allows the admin to add additional headers, I am not sure that this config would allow them to disable or override a previously send header (assuming the custom headers are sent after the CSP one). Need to test.

dregad

dregad

2015-04-05 17:54

developer   ~0049327

Just learned something new ;-)

You were right, CSP can effectively be disabled by adding to config_inc.php
$g_custom_headers = array( 'Content-Security-Policy:' );

I never realized this was possible.

dregad

dregad

2015-04-05 19:34

developer   ~0049328

Resolving this by documenting usage of $g_custom_headers for this purpose, both in config_defaults_inc.php and in the Admin guide.

Related Changesets

MantisBT: master f26298d7

2015-04-05 15:29

dregad


Details Diff
Document disabling of CSP via $g_custom_headers

Fixes 0019576
Affected Issues
0019576
mod - config_defaults_inc.php Diff File
mod - docbook/Admin_Guide/en-US/config/security.xml Diff File
mod - docbook/Admin_Guide/en-US/config/webserver.xml Diff File