View Issue Details

IDProjectCategoryView StatusLast Update
0026093mantisbtplug-inspublic2019-12-09 04:32
Reporterkuz30 Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.21.1 
Target Version2.23.0Fixed in Version2.23.0 
Summary0026093: Content Security Policy directive 'frame-ancestors' contains an invalid source when http_csp_add is called for it
Description

Mantis 2.21.1 with latest BBCodePlus generates Google Chrome console error

The source list for Content Security Policy directive 'frame-ancestors' contains an invalid source: ''none''. It will be ignored. Note that 'none' has no effect unless it is the only expression in the source list.

due to response header:
content-security-policy: ... frame-ancestors 'self' 'none'; ...

https://github.com/mantisbt-plugins/BBCodePlus/issues/72

Steps To Reproduce

Call http_csp_add( 'frame-ancestors', "'self'" ); in your plugin code

Additional Information

@atrol suggests:
The solution might be to introduce a special treatment in function http_csp_add if $p_type is frame-ancestors. In this case and If none is set, unset none.

TagsNo tags attached.

Activities

dregad

dregad

2019-08-28 19:48

developer   ~0062679

Proposed fix in PR https://github.com/mantisbt/mantisbt/pull/1554

dregad

dregad

2019-08-28 19:50

developer   ~0062680

I did not check this, but was this issue really introduced in 2.21.1 (I doubt it), or was it present before and if so since when ?

kuz30

kuz30

2019-08-29 02:19

reporter   ~0062683

this issue is from very beggining of http_csp_add in core/http_api.php, expecting to reproduce in 1.3.*
reliably checked it only in 2.21.1

Related Changesets

MantisBT: master 2d2f6f7b

2019-08-28 19:46:01

dregad

Details Diff
Drop CSP frame-ancestor: 'none' if other sources exist

If both 'none' and other values (e.g. 'self') are defined for the
frame-ancestor CSP directive, http_csp_value() now drops 'none', which
is the default set by MantisBT core, and can only exist by itself.

Fixes 0026093
Affected Issues
0026093
mod - core/http_api.php Diff File

Issue History

Date Modified Username Field Change
2019-08-28 13:22 kuz30 New Issue
2019-08-28 19:48 dregad Assigned To => dregad
2019-08-28 19:48 dregad Status new => assigned
2019-08-28 19:48 dregad Note Added: 0062679
2019-08-28 19:50 dregad Target Version => 2.23.0
2019-08-28 19:50 dregad Note Added: 0062680
2019-08-29 02:19 kuz30 Note Added: 0062683
2019-09-03 11:45 dregad Changeset attached => MantisBT master 2d2f6f7b
2019-09-03 11:45 dregad Status assigned => resolved
2019-09-03 11:45 dregad Resolution open => fixed
2019-09-03 11:45 dregad Fixed in Version => 2.23.0
2019-12-09 04:32 vboctor Status resolved => closed