View Issue Details

IDProjectCategoryView StatusLast Update
0023635mantisbtwikipublic2017-11-17 04:26
ReporterTomRAssigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version2.5.2 
Target VersionFixed in Version 
Summary0023635: Dokuwiki integration gives all kind of CSP errors after upgrade 1.2.20 -> 2.x
Description

Dokuwiki integration gives all kind of CSP errors after upgrade 1.2.20 -> 2.x

Upgrading from 1.2.20 to version 2.x leads to a lot of CSP errors when opening wiki pages with wiki integration from MAntisBT

TagsNo tags attached.

Activities

TomR

TomR

2017-11-15 07:31

reporter   ~0058199

0019576 seems to solve the problem,
But that effectively disables CSP al together which seems a bit drastic.

In config_inc.php
$g_custom_headers = array( 'Content-Security-Policy:' );

dregad

dregad

2017-11-15 11:51

developer   ~0058200

DokuWiki integration is used on this tracker, and I have never noticed issues related to CSP.

Can you be more explicit about what the problem is, the errors you're getting, etc. Information about your setup / config may also be useful.

atrol

atrol

2017-11-15 13:30

developer   ~0058201

DokuWiki integration is used on this tracker, and I have never noticed issues related to CSP.

Maybe no obvious issues, but errors in browser console like the following one, e.g. when opening http://www.mantisbt.org/wiki/doku.php?id=mantisbt:issue:23635

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf self blockiert ("script-src https://cdnjs.cloudflare.com http://www.mantisbt.org http://ajax.googleapis.com http://maxcdn.bootstrapcdn.com http://cdnjs.cloudflare.com"). Source: (function(H){H.className=H.className.rep....
TomR

TomR

2017-11-16 04:07

reporter   ~0058206

I was referring to other errors.

See also http://www.mantisbt.org/forums/viewtopic.php?f=3&t=25114

I expect that the problem lies in some of the extensions used on DokuWiki ( like IndexMenu plugin ).
We would not show the errors to our customers ( they will be ask us all kind of questions about it ;-(

What is an effective way to disable CSP for DokuWiki? But not for MantisBT )

TomR

TomR

2017-11-16 04:10

reporter  

CSP-Dokuwiki.png (77,202 bytes)
CSP-Dokuwiki.png (77,202 bytes)
atrol

atrol

2017-11-16 04:30

developer   ~0058207

Last edited: 2017-11-16 04:30

View 2 revisions

No time to have a deeper look and to try myself, just a guess.
@dregad, maybe we need some extension to function http_security_headers()
Something like

if( config_get_global( 'wiki_enable' ) == ON) {
    $t_url = config_get_global( 'wiki_engine_url' );
    http_csp_add( 'style-src', "$t_url" );
    http_csp_add( 'script-src', "$t_url" );
    http_csp_add( 'img-src', "$t_url" );
}
dregad

dregad

2017-11-16 05:17

developer   ~0058208

Last edited: 2017-11-16 05:18

View 2 revisions

Thanks @atrol. I can reproduce the behavior.

The DokuWiki integration has 2 parts:

  • Mantis -> DokuWiki
  • DokuWiki -> Mantis

I believe the problem is with the second case, more specifically the single sign-on integration, because it basically works by requiring core.php and calling several Mantis APIs (see https://mantisbt.org/wiki/doku.php/mantisbt:issue:8253#authentication_single_sign-on).

@TomR, which version of DokuWiki are you using, and do you have any particular plugins ?

TomR

TomR

2017-11-17 04:24

reporter   ~0058216

Hi @dregad,

I use Release 2017-02-19e "Frusterick Manners"

And have indeed a lot of plugins.
And i guess that for sure plugin Indexmenu plugin is giving the CSP errors.

However I also found out there is a CSPHeader plugin.
I installed it, and configured it, and now the CSP errors are gone.
Only problem is that I am not into CSP, so I do not know if i disabled CSP totally which is not recommended.

TomR

TomR

2017-11-17 04:26

reporter  

CSPHeader.png (42,522 bytes)
CSPHeader.png (42,522 bytes)

Issue History

Date Modified Username Field Change
2017-11-14 10:54 TomR New Issue
2017-11-15 07:31 TomR Note Added: 0058199
2017-11-15 11:51 dregad Note Added: 0058200
2017-11-15 13:30 atrol Note Added: 0058201
2017-11-16 04:07 TomR Note Added: 0058206
2017-11-16 04:10 TomR File Added: CSP-Dokuwiki.png
2017-11-16 04:30 atrol Note Added: 0058207
2017-11-16 04:30 atrol Note Edited: 0058207 View Revisions
2017-11-16 05:17 dregad Note Added: 0058208
2017-11-16 05:18 dregad Note Edited: 0058208 View Revisions
2017-11-17 04:24 TomR Note Added: 0058216
2017-11-17 04:26 TomR File Added: CSPHeader.png