Progress towards fully implementing X-Content-Security-Policy

MantisBT 1.2.1 introduced anti-clickjacking features in the form of both X-Content-Security Policy and X-Frame-Options HTTP headers. SHODAN is a search engine that allows the searching of HTTP server fingerprints obtained from internet facing hosts. If we search for X-Frame-Options in SHODAN’s database, just over 7000 results are returned. Performing the same check for the X-Content-Security-Policy header returns just over 90 results. Interestingly, the great majority of search results for X-Content-Security-Policy are MantisBT installations. It therefore appears that other web applications (and websites) have yet to implement X-Content-Security-Policy in readiness for the stable release of Firefox 4.

As Firefox 4 has been pushed back to early 2011 we have more time to finish off the implementation of X-Content-Security-Policy within MantisBT. A fair amount of progress has already been achieved towards removing inline JavaScript from within MantisBT pages. Once this process is complete we can switch on CSP’s ability to block inline JavaScript from being executed. This will severely limit the impact of XSS vulnerabilities on MantisBT. At the same time there is also a push towards reimplementing the output handling of MantisBT to use a templating system that automatically escapes user supplied data before printing it into HTML output. This approach would help prevent mistakes from occurring, especially with respect to third party plugins that may not undergo as much scrutiny as the MantisBT core.

7 thoughts on “Progress towards fully implementing X-Content-Security-Policy”

  1. Great! I would say, take a look of how Drupal implements this and temperating. Maybe even Adhere, and you get the benefit of not reinventing the wheel 😉 Maybe even better to make a Drupal module for MantisBT and use Drupal as a “Theming engine” something to think about… After all it’s opensource and better to improve by using good ideas than stalled progress because the need to make it from scratch. Anyhow BIG thanks for making security a priority.

  2. There is this library that could be used as a template layer. New BSD License, and uses a syntax similar to Django.

    There’s still some work going on regarding autoescaping, but manually escaping template variables works seamlessly.

Comments are closed.