View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0023635 | mantisbt | wiki | public | 2017-11-14 10:54 | 2021-08-17 13:17 |
Reporter | TomR | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | no change required | ||
Product Version | 2.5.2 | ||||
Summary | 0023635: Dokuwiki integration gives all kind of CSP errors after upgrade 1.2.20 -> 2.x | ||||
Description | Dokuwiki integration gives all kind of CSP errors after upgrade 1.2.20 -> 2.x Upgrading from 1.2.20 to version 2.x leads to a lot of CSP errors when opening wiki pages with wiki integration from MAntisBT | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
0019576 seems to solve the problem, In config_inc.php |
|
DokuWiki integration is used on this tracker, and I have never noticed issues related to CSP. Can you be more explicit about what the problem is, the errors you're getting, etc. Information about your setup / config may also be useful. |
|
Maybe no obvious issues, but errors in browser console like the following one, e.g. when opening http://www.mantisbt.org/wiki/doku.php?id=mantisbt:issue:23635 |
|
I was referring to other errors. See also http://www.mantisbt.org/forums/viewtopic.php?f=3&t=25114 I expect that the problem lies in some of the extensions used on DokuWiki ( like IndexMenu plugin ). What is an effective way to disable CSP for DokuWiki? But not for MantisBT ) |
|
No time to have a deeper look and to try myself, just a guess. |
|
Thanks @atrol. I can reproduce the behavior. The DokuWiki integration has 2 parts:
I believe the problem is with the second case, more specifically the single sign-on integration, because it basically works by requiring core.php and calling several Mantis APIs (see https://mantisbt.org/wiki/doku.php/mantisbt:issue:8253#authentication_single_sign-on). @TomR, which version of DokuWiki are you using, and do you have any particular plugins ? |
|
Hi @dregad, I use Release 2017-02-19e "Frusterick Manners" And have indeed a lot of plugins. However I also found out there is a CSPHeader plugin. |
|
@TomR with the plugins I use, I found it sufficient to change the following settings:
I strongly recommend not to check optionsEval, andoptionsInline if you can avoid it - this is where the biggest security risk resides. |
|
Resolving this issue, since a working solution exists with the DokuWiki cspheaders plugin. Note that despite the warning, the plugin works just fine with the latest version of DokuWiki (2017-02-19e "Frusterick Manners" as of this writing). Refer to my earlier note 0023635:0058657 for minimal settings to fix the problem. |
|
For the record, the cspheader plugin has been updated so there is no longer a warning, and the authmantis plugin's setup page now includes recommended CSP configuration. |
|