View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0014679 | mantisbt | security | public | 2012-09-03 04:31 | 2015-07-07 16:48 |
Reporter | dregad | Assigned To | dregad | ||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.1 | ||||
Target Version | 1.3.0-beta.1 | Fixed in Version | 1.3.0-beta.1 | ||
Summary | 0014679: Support Content-Security-Policy (CSP) per W3C specification | ||||
Description | dhx originally implemented CSP following the Mozilla-proposed specification X-Content-Security-Policy [1] in 0011825. Since then, the proposal has evolved into a W3C standard [2], which is still in DRAFT form but differs in some significant ways from the Mozilla original specification:
MantisBT headers should be modified adhere to the new standard once it becomes final and is correctly implemented in major browsers (see Additional info below). [1] https://wiki.mozilla.org/Security/CSP/Specification | ||||
Additional Information | With Firefox 15, the new standard is only partially implemented:
Adherence to the new standard is a work-in-progress at Mozilla: | ||||
Tags | No tags attached. | ||||
The CSP 1.0 standard has been implemented in Firefox 23 [1] in June 2013; as per the blog post, it is also available in Chrome 25 and IE 10. I tried to make the change in http api, but unfortunately there seems to be an issue with jQuery, triggering "Content Security Policy: Directive inline script base restriction violated" whenever it is included (tested with 1.9.1 and 1.10.2). This error is reproducible with a simple test file (tested on FF 24)
Somebody else reported the same error [2] Test branch: https://github.com/dregad/mantisbt/tree/csp-update [1] https://blog.mozilla.org/security/2013/06/11/content-security-policy-1-0-lands-in-firefox/ |
|
This was actually implemented by grangeway in september 2014. |
|
MantisBT: master 91242cdb 2014-08-30 13:23 Paul Richards Details Diff |
Fix Content-Security-Policy Headers Firefox complains when accessing mantis 1.3 about the deprecated headers. X-Content-Security-Policy is replaced by Content Security Policy |
Affected Issues 0014679 |
|
mod - core/http_api.php | Diff File |